Dependently  Typed  Programming 
with  Domain- Specific  Logics 

Daniel  R.  Licata 

CMU-CS-1 1-105 

February  28,  2011 


School  of  Computer  Science 
Carnegie  Mellon  University 
Pittsburgh,  PA  15213 


Thesis  Committee: 

Robert  Harper,  Chair 
Karl  Crary 
Frank  Pfenning 

Greg  Morrisett,  Harvard  University 


Submitted  in  partial  fulfillment  of  the  requirements 
for  the  degree  of  Doctor  of  Philosophy. 


Copyright  ©2011  Daniel  R.  Licata 

This  research  was  sponsored  in  part  by  the  National  Science  Foundation  under  grant  numbers  CCF-0702381,  CCR- 
0325808,  CCR-0121633;  by  the  US  Army  Research  Office  under  grant  number  DAAD- 1902 10389;  and  by  the 
Pradeep  Sindhu  Computer  Science  Fellowship.  The  views  and  conclusions  contained  in  this  document  are  those 
of  the  author  and  should  not  be  interpreted  as  representing  the  official  policies,  either  expressed  or  implied,  of  any 
sponsoring  institution,  the  U.S.  government  or  any  other  entity. 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

28  FEB  2011  2- REPORT  TYPE 

3.  DATES  COVERED 

00-00-2011  to  00-00-2011 

4.  TITLE  AND  SUBTITLE 

Dependency  Typed  Programming  with  Domain- Specific  Logics 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Carnegie  MellonUniversity  , School  of  Computer 

Science, Pittsburgh, PA, 15213 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 


14.  ABSTRACT 

This  dissertation  describes  progress  on  programming  with  domain-specific  specification  logics  in 
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logics  include  separation  logic,  which  has  been  used  to  verify  imperative  programs,  and  authorization 
logics,  which  have  been  used  to  verify  security  properties  in  security-typed  languages.  The  first  goal  of  the 
research  described  here  is  to  show  that  it  is  possible  to  define,  study,  automate,  and  use  domain-specific 
logics  within  a  dependently  typed  programming  language.  We  demonstrate  this  fact  with  a  significant  new 
example  showing  how  to  embed  a  security-typed  language  using  dependent  types.  This  example  suggests 
that  better  support  for  programming  with  logics  in  type  theory  will  facilitate  this  style  of  program 
verification.  The  central  notion  in  logic  is  consequence?entailment  from  premises  to  conclusions?and  two 
notions  of  consequence  are  necessary  for  programming  with  logics:  derivability,  which  captures  uniform 
reasoning,  and  admissibility,  which  captures  inductive  proofs  and  functional  programs.  Presently, 
derivability  is  better  supported  in  LF-based  proof  assistants  such  as  Twelf,  Delphin,  and  Beluga,  whereas 
admissibility  is  better  supported  in  proof  assistants  based  on  Martin-L?f  type  theory,  such  as  Coq,  Agda, 
and  Epigram.  Our  second  contribution  is  to  show  that  it  is  possible  to  implement,  within  a  dependently 
typed  programming  language,  a  logical  framework  that  allows  derivability  and  admissibility  to  be  mixed  in 
novel  and  interesting  ways.  The  above  framework  is  simply-typed,  which  makes  it  suitable  for 
programming  with  abstract  syntax  but  not  logical  derivations.  Our  third  contribution  is  to  generalize  this 
framework  to  dependent  types,  which  we  accomplish  as  an  instance  of  a  more  general  problem:  We 
describe  Directed  Type  Theory  (DTT),  a  new  notion  of  dependent  type  theory,  inspired  by 
higher-dimensional  category  theory,  which  equips  each  type  with  a  notion  of  transformation  on  its 
elements.  The  structural  properties  of  a  logic  arise  as  a  special  case,  by  considering  a  type  of  contexts 
equipped  with  an  appropriate  notion  of  transformation.  DTT  is  an  exciting  development  independently  of 
our  application,  as  it  generalizes  recent  connections  between  type  theory,  homotopy  theory,  and  category 
theory  to  the  asymmetric  case. 
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With  every  day,  and  from  both  sides  of  my  intelligence,  the  moral  and  the  intellectual,  I  thus 
drew  steadily  nearer  to  that  truth,  by  whose  partial  discovery  I  have  been  doomed  to  such  a 
dreadful  shipwreck:  that  man  is  not  truly  one,  but  truly  two.  . .  .It  was  on  the  moral  side,  and 
in  my  own  person,  that  I  learned  to  recognise  the  thorough  and  primitive  duality  of  man;  I  saw 
that,  of  the  two  natures  that  contended  in  the  field  of  my  consciousness,  even  if  I  could  rightly 
be  said  to  be  either,  it  was  only  because  I  was  radically  both;  and  from  an  early  date,  even 
before  the  course  of  my  scientific  discoveries  had  begun  to  suggest  the  most  naked  possibility  of 
such  a  miracle,  I  had  learned  to  dwell  with  pleasure,  as  a  beloved  daydream,  on  the  thought  of 
the  separation  of  these  elements.  If  each,  I  told  myself,  could  be  housed  in  separate  identities, 
life  would  be  relieved  of  all  that  was  unbearable;  the  unjust  might  go  his  way,  delivered  from 
the  aspirations  and  remorse  of  his  more  upright  twin;  and  the  just  could  walk  steadfastly  and 
securely  on  his  upward  path,  doing  the  good  things  in  which  he  found  his  pleasure,  and  no 
longer  exposed  to  disgrace  and  penitence  by  the  hands  of  this  extraneous  evil.  It  was  the  curse  of 
mankind  that  these  incongruous  faggots  were  thus  bound  together — that  in  the  agonised  womb 
of  consciousness,  these  polar  twins  should  be  continuously  struggling.  How,  then  were  they 
dissociated? 

—  Strange  Case  of  Dr  Jekyll  and  Mr  Hyde,  Robert  Louis  Stevenson 
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This  dissertation  describes  progress  on  programming  with  domain-specific  spec¬ 
ification  logics  in  dependently  typed  programming  languages.  Domain-specific  log¬ 
ics  are  a  promising  way  to  verify  software,  using  a  logic  tailored  to  a  style  of  pro¬ 
gramming  or  an  application  domain.  Examples  of  domain-specific  logics  include 
separation  logic,  which  has  been  used  to  verify  imperative  programs,  and  authoriza¬ 
tion  logics,  which  have  been  used  to  verify  security  properties  in  security-typed  lan¬ 
guages.  The  first  goal  of  the  research  described  here  is  to  show  that  it  is  possible  to 
define,  study,  automate,  and  use  domain-specific  logics  within  a  dependently  typed 
programming  language.  We  demonstrate  this  fact  with  a  significant  new  example, 
showing  how  to  embed  a  security-typed  language  using  dependent  types. 

This  example  suggests  that  better  support  for  programming  with  logics  in  type 
theory  will  facilitate  this  style  of  program  verification.  The  central  notion  in  logic  is 
consequence — entailment  from  premises  to  conclusions — and  two  notions  of  conse¬ 
quence  are  necessary  for  programming  with  logics:  derivability,  which  captures  uni¬ 
form  reasoning,  and  admissibility,  which  captures  inductive  proofs  and  functional 
programs.  Presently,  derivability  is  better  supported  in  LF-based  proof  assistants, 
such  as  Twelf,  Delphin,  and  Beluga,  whereas  admissibility  is  better  supported  in 
proof  assistants  based  on  Martin-Lof  type  theory,  such  as  Coq,  Agda,  and  Epigram. 
Our  second  contribution  is  to  show  that  it  is  possible  to  implement,  within  a  depen¬ 
dently  typed  programming  language,  a  logical  framework  that  allows  derivability 
and  admissibility  to  be  mixed  in  novel  and  interesting  ways. 

The  above  framework  is  simply-typed,  which  makes  it  suitable  for  programming 
with  abstract  syntax  but  not  logical  derivations.  Our  third  contribution  is  to  general¬ 
ize  this  framework  to  dependent  types,  which  we  accomplish  as  an  instance  of  a  more 
general  problem:  We  describe  Directed  Type  Theory  (DTT),  a  new  notion  of  depen¬ 
dent  type  theory,  inspired  by  higher-dimensional  category  theory,  which  equips  each 
type  with  a  notion  of  transformation  on  its  elements.  The  structural  properties  of  a 
logic  arise  as  a  special  case,  by  considering  a  type  of  contexts  equipped  with  an  ap¬ 
propriate  notion  of  transformation.  DTT  is  an  exciting  development  independently 
of  our  application,  as  it  generalizes  recent  connections  between  type  theory,  homo- 
topy  theory,  and  category  theory  to  the  asymmetric  case. 
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Chapter  1 
Introduction 


Up  until  the  fall  of  2009,  Carnegie  Mellon  University’s  computer  science  department  was  housed 
in  a  building  named  Wean  Hall,  an  eight-story  bunker  of  a  building  whose  dominant  architectural 
feature  is  bare  concrete.  On  the  fourth  floor  of  Wean  Hall  was  the  graduate  student  lounge,  a 
room  decorated  with  a  billowy  sky-blue  table,  neon  hanging  lampshades,  and  floor-to-ceiling 
whiteboards.  On  the  wall  outside  the  lounge  was  a  bronze  plaque  of  eight  quotations  by  Alan 
Perlis,  the  first  head  of  Carnegie  Mellon’s  computer  science  department,  taken  from  his  Epigrams 
on  Programming  ( Perils  1  1982).  Sixth  from  the  top  was  the  following: 

It  is  easier  to  write  an  incorrect  program  than  understand  a  correct  one. 


This  dissertation  describes  progress  towards  invalidating  Perlis ’s  epigram,  in  two  ways:  making 
incorrect  programs  harder  to  write  and  correct  programs  easier  to  understand. 


To  illustrate  these  ideas,  imagine  that  it  is  the  mid-1990s  and  you  are  writing  the  first  airline 
search  Web  site,  Ellipsez.com.  Just  after  launching  the  first  version,  you  notice  that  your  cus¬ 
tomers  tend  to  click  through  all  the  pages  of  search  results  looking  for  the  flight  with  the  lowest 
price.  So,  you  think,  Ellipsez.com  should  automatically  sort  the  results  by  price,  and  display 
them  from  lowest  to  highest.  To  do  this,  you  implement  a  function  sort  which  takes  a  list  of 
flights  and  puts  them  into  increasing  order  by  price.  First  of  all,  it  is  important  that  this  new  sort 
functionality  does  not  crash:  if  it  crashes,  then  Ellipsez.com  will  never  display  any  results  at  all, 
so  no  one  can  buy  anything  through  it.  It  is  also  important  that  the  flights  are  actually  ordered 
by  price — if  the  best  price  is  on  page  three  instead  of  page  one,  your  customers  might  miss  it, 
and  think  that  your  competitors  are  searching  more  flights  than  you  are.  For  similar  reasons,  it  is 
important  that  sort  does  not  drop  any  flights,  or  include  flights  that  were  not  in  the  original  list. 
These  are  examples  of  different  notions  of  correctness. 

At  some  point  later,  you,  or  maybe  one  of  the  many  programmers  you  hire  after  Ellipsez.com 
gets  popular,  will  notice  that  now  the  customers  are  clicking  through  the  pages  of  search  results 
looking  for  one  that  departs  at  a  particular  time,  rather  than  just  picking  the  cheapest  one.  So  you 
want  to  go  back  and  change  the  code  for  sort  so  that  you  can  order  flights  not  only  by  price,  but 
also  by  time  of  departure,  arrival,  and  so  on.  To  do  this,  it  is  important  that  the  code  for  sort  be 
understandable  so  that  you  or  other  programmers  can  change  and  maintain  it. 

There  are  a  variety  of  techniques  that  help  programmers  write  correct  and  understandable 
software.  In  this  dissertation,  we  focus  on  static,  or  compile-time,  techniques,  used  when  the 
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programmer  is  writing  a  program — as  opposed  to  dynamic ,  or  run-time,  techniques,  used  when 
the  user  is  running  a  program.  One  simple  technique  is  testing :  the  programmer  runs  sort  on 
some  example  search  results  and  sees  that  it  does  the  right  thing.  While  testing  can  help  find 
bugs  and  boost  confidence,  it  cannot  show  that  there  is  no  circumstance  in  which  sort  fails.  Prov¬ 
ing  that  sort  is  correct  on  all  possible  inputs  takes  more  sophisticated  techniques  based  on  logic. 
Type  systems,  as  in  programming  languages  such  as  ML  (|Milner  et  al  4 1 1 997])  and  Haskell  (Pey 


ton  Jones]  |2003),  are  a  lightweight  approach  that  provides  certain  limited  but  useful  guarantees 


(for  example,  they  rule  out  certain  kinds  of  crashes).  A  more  expressive,  but  also  more  costly, 
technique  is  to  use  a  specification  logic  such  as  Hoare  logic  (Hoare  1969),  a  mathematical  for¬ 
malism  in  which  a  program  can  be  proved  to  have  certain  correctness  properties  (“for  all  lists 
l,  sort  produces  a  permutation  of  the  flights  in  l  which  is  in  increasing  order  by  price”)-  A  de¬ 
pendent  type  theory  (Martin-Lofj  1 1975])  integrates  these  two  approaches  into  a  type  system  rich 
enough  to  express  logical  specifications.  Type  systems  and  specification  logics  also  make  pro¬ 
grams  more  understandable.  Because  types  and  specifications  provide  a  concise  summary  of  the 
behavior  of  a  piece  of  code,  they  are  often  easier  to  understand  than  the  code  itself.  Additionally, 
because  this  documentation  is  machine-checkable,  it  does  not  get  out  of  date.  Moreover,  types 
and  specifications  enable  modular  programming,  where  one  piece  of  code  relies  only  on  the  type 
or  specification  of  another,  allowing  the  two  pieces  of  code  to  be  modified  independently. 

However,  different  programs  and  correctness  properties  require  different  logics  tailored  to 
reasoning  about  them:  For  example,  Hoare  logic  and  separation  logic  (Reynolds,  2002)  are 
used  to  reason  about  imperative  programs  which  manipulate  the  state  of  memory  in  intricate 
ways.  Temporal  logics  (Clarke  et  al.]  [2002j)  are  used  to  reason  about  the  evolution  of  concur¬ 
rent  processes.  Authorization  logics  (|Abadi  et  al.j,  [1993)  are  used  to  verify  security  properties 
(Ellipsez.com  does  not  leak  your  credit  card  number  to  anyone).  Differential  dynamic  logic  is 
used  to  reason  about  hybrid  (discrete/continuous)  cyber-physical  systems  (Platzer,  2010).  Be¬ 
cause  different  logics  are  appropriate  for  different  tasks,  specification  logic  design  necessarily 
becomes  part  of  the  programming  process. 


What  are  the  typical  activities  involved  in  designing  a  new  logic?  The  first  task  is  to  define 
the  logic,  and  write  down  the  syntax  of  its  propositions  and  proof  rules.  This  must  include  a  way 
of  integrating  the  logic  with  the  programming  language,  either  by  allowing  logical  formulas  that 
refer  to  programs,  as  in  a  specification  logic,  or  by  externally  assigning  propositions  to  programs, 
as  in  a  type  system.  To  show  that  the  logic  is  reasonable,  it  is  common  to  prove  some  sort  of 
correctness  result  about  the  logic:  one  may  prove  that  the  logic  is  consistent,  or  more  generally 
that  it  ensures  that  programs  have  the  properties  of  interest.  Such  proofs  may  use  syntactic 
methods  (structural  induction  on  derivations),  or  semantic  ones  (showing  that  the  logic  is  sound 
and/or  complete  with  respect  to  a  notion  of  truth).  Next,  to  make  verification  practical,  it  is 
common  to  implement  some  sort  of  automated  or  interactive  theorem  proving  for  the  logic. 


At  a  high  level,  the  first  goal  of  the  research  described  here  is  to  advance  the  idea  that 


It  is  possible  to  define,  study,  automate,  and  use  domain-specific  logics  within  a 
dependently  typed  programming  language. 


Dependent  types  make  logic  design  part  of  the  programming  process,  so  that  programmers  can 
define  logics  and  use  them  both  to  reason  about  their  code  and  to  explain  it  to  others.  The  result 
is  code  that  tells  you  why  it  works.  All  of  the  tasks  involved  in  programming  with  logics  can  be 
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carried  out  within  a  dependently  typed  host  language,  which  improves  on  current  practice,  where 
it  is  common  to  implement  logics  and  type  systems  either  within  language  implementations  or 
as  external  tools.  Dependently  typed  languages  provide  richer  tools  for  describing,  studying,  and 
implementing  logics  than  the  current  simply-typed  languages  used  in  these  implementations,  and 
they  permit  program  verification  as  well. 

Though  the  particular  approach  that  we  advocate  has  some  modern  twists,  this  general  ap¬ 
proach  to  program  verification  is  an  old  idea  and  it  is  only  through  decades  of  work  on  depen¬ 
dently  typed  proof  assistants  and  programming  languages  that  it  is  now  becoming  a  reality.  In 
Part  |T]  of  this  dissertation,  we  contribute  some  new  examples  as  further  evidence  of  the  above 
claim.  Our  most  significant  new  example  shows  how  to  do  security-typed  programming,  in  the 
style  of  the  languages  PCML5  (|Avijit  et  akj  |2010|),  Aura  (|Jia  et  al.[  |2008 ),  and  Fine  ( Swamy 
et  al.[ |2010|),  within  a  dependently  typed  programming  language.  Second,  we  show  how  to  rep¬ 
resent  and  implement  the  semantics  of  Reed  and  Pierce  (2010|)’s  type  system  for  differential 
privacy  (Dinur  and  Nissim]  2003 }  Dwork  and  Nissim]  2004]  Dwork  et  al.[  2006),  which  pro¬ 
vides  an  extensible  approach  to  implementing  differentially  private  algorithms  in  a  formally  cer¬ 
tified  manner.  Throughout  the  dissertation,  we  use  the  dependently  typed  programming  language 
Agda  (|Norell[  [2007  ). 

Of  course,  we  would  like  to  achieve  a  state  of  affairs  where  it  is  not  just  possible,  but  practi¬ 
cal ,  to  program  with  logics  using  dependent  types.  At  present  researchers  can,  with  some  effort, 
do  this  type  of  programming,  but  we  have  not  achieved  the  practicality  necessary  for  wide-spread 
adoption.  The  remaining  parts  of  this  thesis  make  some  technical  contributions  towards  making 
programming  with  logics  easier. 


Mixing  derivability  and  admissibility  A  key  notion  in  logic  is  the  hypothetical  judgement, 
which  codifies  reasoning  from  assumptions.  Any  tool  for  programming  with  logics  must  sup¬ 
port  two  notions  of  hypothetical  judgement,  derivability,  which  captures  uniform  reasoning,  and 
admissibility,  which  captures  inductive  proofs  and  functional  programs.  These  notions  are  es¬ 
sential  for  describing  and  programming  with  logics.  Derivability  is  better  supported  in  proof 
assistants  that  use  type  theory  in  the  style  of  LF  (Harper  et  ak]|1993[),  whereas  admissibility  is 
better  supported  in  proof  assistants  that  use  type  theory  in  the  style  of  Martin-Lof  type  theory 
(MLTT)  (Martin-Lof,  [T975]). 

Our  aim  is  to  heal  this  divide  by  proving  better  support  for  derivability  in  MLTT.  In  the 
process,  we  have  an  opportunity  to  go  beyond  previous  work,  by  allowing  admissibility  and 
derivability  to  interact  in  new  ways.  Part  [TT]  of  this  dissertation  is  devoted  to  studying  these 
interactions.  In  particular,  we  show  that 

It  is  possible  to  implement,  within  a  dependently  typed  programming  language,  a 
logical  framework  that  allows  derivability  and  admissibility  to  be  mixed  in  novel 
and  interesting  ways. 

We  were  originally  motivated  to  consider  these  interactions  by  studying  derivability  and  ad¬ 
missibility  in  the  context  of  Zeilberger’s  higher-order  focusing  (|Zei lbergcrj,  2008a|b[  2009 j).  Zeil- 
berger’s  previous  work  showed  how  to  do  higher-order  focusing  for  classical  logic,  and  for  the 
“positively-only”  part  of  intuitionistic  logic.  Our  work  in  this  part  also  includes  a  formulation  of 
higher-order  focusing  for  full  intuitionistic  propositional  logic,  which  is  of  interest  independently 
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of  the  application. 


Directed  Dependent  Type  Theory  The  dependently  typed  analogue  of  the  hypothetical  judge¬ 
ment  is  called  the  generic  judgement,  and  implementing  a  logical  framework  with  genericity  is 
not  as  easy.  The  difficulty  comes  in  implementing  the  structural  properties  of  the  generic  judge¬ 
ment.  We  analyze  these  difficulties  as  an  instance  of  a  much  more  general  phenomenon,  that  of 
dependently  typed  programming  with  directed  types. 

In  the  standard  interpretation  of  type  theory,  a  type  may  be  thought  of  as  a  set  of  values, 
and  any  two  values  may  or  may  not  be  equal.  This  interpretation  turns  out  to  be  level  1  in  a 
hierarchy  of  more  structured  types.  Down  at  level  0  are  the  propositions :  proof-irrelevant  types 
whose  members  are  all  equal  (if  there  are  any).  Up  at  level  2  are  types  that  contain  values,  but 
these  values  may  be  related  in  more  ways  than  just  equality.  For  example,  one  could  have  a 
type  whose  values  are  themselves  (smaller)  types,  which  are  considered  equal  iff  they  are  iso¬ 
morphic — there  are  functions  back  and  forth  that  compose  to  the  identity.  This  generalizes  the 
notion  of  a  quotient  type  (a  type  equipped  with  an  equivalence  relation)  by  allowing  multiple, 
computationally  relevant  proofs  of  equivalence.  Level  3  gives  the  notion  of  equivalence  of  cate¬ 
gories,  or  “isomorphism  up  to  isomorphism,”  of  category  theory,  and  in  general  level  n  gives  the 
(weak)  n-cquivalcncc  of  higher-dimensional  category  theory.  Higher-dimensional  type  theories 
make  this  dimension  hierarchy  available  to  the  programmer.  The  turnstile  in  typing  judgements 
is  interpreted  as  Junctoriality:  any  judgement  T  h  J  means  not  only  that  J  is  well-formed  in 
T,  but  also  that  “equal”  T’s  give  “equal”  J’s,  where  “equal”  is  in  the  sense  appropriate  for  the 
levels  of  T  and  J .  These  ideas  are  being  explored  in  work  connecting  Martin-Lof  type  theory, 
higher-dimensional  category  theory,  and  homotopy  theory  (Awodey  and  Warren, |2009|  Hofmann 


and  Streicher  1998  Lumsdaine],  2009}  van  den  Berg  and  Garner}  2010}  [Voevodsky }  2010).  This 


work  promises  a  new  class  of  proof  assistants  that  intrinsically  support  proof  irrelevance,  equal¬ 
ity,  isomorphism,  equivalence  of  categories,  and  so  on,  and  thus  will  be  much  more  convenient 
for  formalizing  mathematics. 

The  structural  properties  of  the  generic  judgement  are  instance  of  higher-dimensional  struc¬ 
ture,  given  by  entailment  between  logical  propositions.  However,  entailment  is  not  symmetric, 
and  thus  is  not  an  instance  of  the  higher-dimensional  theories  discussed  above,  which  account 
only  for  symmetric  notions  of  equivalence.  This  application  prompted  us  to  begin  to  study  a  new 
notion  of  directed  dependent  type  theory  which  accounts  for  asymmetric  or  directed  types.  This 
requires  not  just  a  new  semantic  interpretation,  but  also  a  new  proof  theory,  as  MLTT  proves 
symmetry  of  equivalence.  In  Part  [lilt  we  study  the  2-dimensional  case,  which  accounts  for  types 
of  level  2,  and  give  it  a  semantics  in  category  theory.  We  show  that 

A  language  with  directed  types  provides  a  useful  framework  for  describing  the  struc¬ 
tural  properties  of  the  generic  judgement. 


Directed  type  theory  is  of  interest  independently  of  our  application,  as  it  extends  the  connec¬ 
tion  between  type  theory,  higher-dimensional  groupoids,  and  homotopy  theory  to  directed  type 
theory,  higher-dimensional  categories,  and  directed  homotopy  theory. 


Chapter  2 
Background 


2.1  Logical  Frameworks 

Two  main  tools  are  necessary  to  program  with  logics.  The  first  is  a  mechanism  for  representing 
a  logic  as  data  in  a  program.  This  involves  representing  the  abstract  syntax  of  propositions  and 
proofs.  The  second  is  a  mechanism  for  computing  with  logics:  writing  recursive  functions  that 
case-analyze  and  traverse  syntax.  As  we  will  see  below,  computation  has  many  uses,  such  as 
proving  meta-theorems  about  a  logic,  or  implementing  a  proof  search  procedure. 


2.1.1  First-order  inductive  definitions 


In  this  thesis,  we  concentrate  on  the  proof -theoretic  study  of  logic,  using  natural  deduction  sys¬ 
tems  and  sequent  calculi  (Gentzen,  |1935[).  Proof  theories  are  described  using  inductive  defini¬ 
tions,  presented  as  a  collection  of  inference  rules.  For  example,  one  may  define  a  proposition  to 
be  true  iff  it  is  an  element  of  the  least  set  of  propositions  closed  under  a  collection  of  inference 
rules  of  the  form 

Ai  true  ...  An  true 
C  true 


We  call  such  collections  of  rules  first-order  inductive  definitions.  First-order  inductive  definitions 
have  a  straightforward  set-theoretic  justification:  the  inference  rules  define  a  monotone  operator, 
which  has  a  least  fixed  point. 


2.1.2  Hypothetical  Judgements 


While  first-order  inductive  definitions  suffice  to  define  truth  in  an  axiomatic,  Hilbert- style,  way, 
the  most  important  notion  in  proof  theory  is  consequence :  entailment  of  a  conclusion  from  an 


assumption.  Consequence  is  used,  for  example,  in  the  natural  deduction  (Gentzen,  1935])  rule  for 
implication  introduction: 


A  true 


u 


B  true 
A  D  B  true 


DP 
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This  rule  says  that,  to  conclude  that  the  proposition  A  D  B  is  true,  it  suffices  to  conclude  the 
truth  of  B,  using  a  new,  scoped  assumption  that  A  is  true.  We  indicate  scoping  by  (a)  labelling 
the  assumption  u,  and  (b)  writing  this  label  after  the  name  of  the  inference  rule,  indicating  that 
the  rule  discharges  the  assumption — the  assumption  may  not  be  used  below  the  rule,  in  another 
branch  of  the  derivation  tree. 

What  are  the  characteristics  of  assumptions?  The  first  is  identity:  an  assumption  may  be  used 
to  conclude  what  was  assumed.  That  is,  an  assumption  may  be  used  as  the  leaf  of  a  derivation 
tree;  for  example: 

- u 

A  true  Ju 

A  D  A  true 

The  second  is  a-conversion :  derivations  differing  only  by  the  labels  of  assumptions  are  con¬ 
sidered  equal.  For  example,  the  above  derivation  is  the  same  as 

-  V 

A  true  Jv 

A  D  A  true 

The  third  is  substitution :  a  derivation  may  be  plugged  in  for  an  assumption.  That  is,  given 

- u 

A  true 

V  £ 

A  true  and  B  true 


we  can  form  a  derivation 


[D/u\£ 
B  true 


by  replacing  each  leaf  labelled  u  in  £  with  V. 

This  notion  of  assumptions  is  used  pervasively  in  natural  deduction.  For  example,  in  disjunc¬ 
tion  elimination 

-  U  -=r -  V 

A  true  B  true 


AW  B  true  C  true 
C  true 


C  true 


WEU’V 


each  branch  has  a  scoped  assumption,  of  A  in  one  and  of  B  in  the  other.  Sequent  calculi  can  be 


described  using  this  notion  of  assumption  as  well  (Pfenning  1994). 

The  above  rules  can  be  rephrased  in  a  one-dimensional  syntax  by  collecting  the  assumptions 
into  a  context  T.  For  example: 


r,  u  :  A  true  h  B  true 
T  \~  Ad  B  true 


DP 


Then  we  can  write  the  identity  and  substitution  properties  as  follows: 


r,rj,r'hj 


r,  n  p  ./,  r,u:jur\-j2 
r  ,  r7  h  ,/2 


subst 


Here  we  write  J  to  stand  for  an  arbitrary  judgement. 
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The  one-dimensional  notation  reveals  several  additional  properties  that  were  tacit  above: 


7 

r,  u :  j,  r  b  f 


weaKemng 


T,  u !  :  Ji,u2 


J-  7  ^  7 

r,  ut  :J,r  b  J' 


L-UI  I  LI  dL-LIVJI  I 


Weakening  says  that  an  assumption  may  go  unused.  Exchange  says  that  the  order  of  assumptions 
does  not  matter.  Contraction  says  that  an  assumption  may  be  duplicated  (note  that  it  is  an  in¬ 
stance  of  substitution,  where  one  assumption  is  plugged  in  for  another).  We  refer  to  these  five 
properties  collectively  as  the  structural  properties,  and  we  say  that  a  judgement  that  obeys  them 


is  structural,  or  a  hypothetical  judgement  (Martin-Lof,  1996). 


As  in  the  two-dimensional  notation  discussed  above,  we  identify  derivations  that  differ  only 
in  the  labels  of  assumptions,  such  as 


r,rj,r'hj 


u 


T,v:J,F\-J 


This  allows  us  to  tacitly  maintain  the  invariant  that  all  assumptions  are  distinct;  e.g.  in  D/,  u  can 
and  must  be  distinct  from  all  assumptions  already  in  T. 


2.1.3  Generic  Judgements 


A  close  relative  of  the  hypothetical  judgement  is  the  generic  judgement  (Martin-Lof,  1996),  in 
which  an  assumption  may  be  used  not  only  in  the  derivation  tree,  but  also  in  the  subjects  of  the 
judgement.  This  accounts  for  the  notion  of  variables,  or  binding  and  scope,  used  pervasively 
in  logic  and  programming  languages.  An  example  is  the  universal  quantifier  proposition  Mx.A, 
where  the  variable  x  is  bound  in  the  proposition  A.  The  rules  for  this  connective  are  as  follows: 


T,  x  :  indiv  b  A  true 
T  b  Mx.A  true 


VJ 


T  b  Mx.A  true  T  be:  indiv 

T  b  [e/x\A  true 


WE 


We  use  the  judgement  x  :  indiv  to  mean  that  x  is  an  individual  or  term  of  the  first-order  logic. 
The  premise  of  the  introduction  rule  is  a  derivation  generic  in  the  assumption  x.  The  generic 
judgement  satisfies  structural  properties  analogous  to  above.  For  example,  identity  allows  a 
variable  to  be  used  to  form  a  term,  while  substitution  of  a  term  for  a  variable,  [ e/x \  e' ,  is  used  in 
the  ME  rule. 


Using  generic  judgements  to  model  variables  brings  us  to  another  one  of  Perlis’s  epigrams  (Perlis 
1982): 

As  Will  Rogers  would  have  said,  "There  is  no  such  thing  as  a  free  variable. " 


When  modeled  using  generic  judgements,  every  variable  is  bound,  either  in  a  term  (as  in  Mx.A) 
or  in  the  context  of  a  judgement  (as  in  T,  x  :  indiv  b  A  true).  Treating  the  context  as  a  binding  site 
means  that  judgements  can  be  horizontally  a-converted,  renaming  variables  in  both  the  context 
and  the  right-hand  side.  For  example,  we  equate  the  judgements  x  :  indiv  b  A  true  and  y  :  indiv  b 

[y/x]A  true. 
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We  call  this  approach  to  variables  pronominial :  every  variable  is  a  pronoun  that  refers  to 


a  designated  binding  site.  Other  approaches  to  variables,  such  as  nominal  logic  (Pitts  (2003]), 
instead  conceive  of  variables  as  nouns,  which  exist  independently  of  any  scope. 

The  structural  properties  of  the  generic  judgement  are  as  follows: 


T,  x  :  r,  T7  b  x  :  r 


x 


T  b  e  :  r  T,  x  :  r,  T7  b  J 
T,  [T'/e\x  b  [J/e\x 


subst 


r,  r  b  j' 


r,  x  t,  r  b  j‘ 


7  weakening 


r,x2  :ra,T7  -.TUT'  b  J' 


T,  x1:r1,x2:  r2,  T7  b  J1 


7  exchange 


T,  x  :  t,  y  :  r,  T7  b  J' 
r,x:r,  [x/?/]r7  b  [x/?/]J7 


contraction 


Substitution  reveals  a  somewhat  subtle  staging  issue:  to  state  the  rule  of  substitution,  we  re¬ 
quire  a  substitution  operation  on  the  syntax  of  judgements  J.  This  can  be  sorted  out  in  various 
ways.  One  is  to  distinguish  between  terms  e  :  r  (used  to  represent  propositions  A ,  judgements 
J,  etc.)  and  derivations  of  judgements  V  :  J  and  define  substitution  for  terms  prior  to  substitu¬ 
tion  for  derivations.  An  alternative,  which  avoids  this  distinction,  is  to  first  define  a  substitution 
operation  on  a  raw  syntax  of  (possibly  ill-formed)  derivations,  and  then  to  later  show  that  this 
operation  satisfies  the  formation  rule  given  by  subst.  The  same  issue  comes  up  in  contraction, 
but  not  weakening  and  exchange,  because  we  have  presumed  that  they  do  not  alter  the  syntax  of 
a  judgement — a  presumption  we  will  return  to  below. 


2.1.4  A  Tale  of  Two  Consequence  Relations 

Thus  far,  we  have  considered  the  hypothetical  and  generic  judgements  as  interfaces',  a  relation 
R( T,  A)  is  a  hypothetical/general  consequence  relation  if  it  satisfies  the  appropriate  structural 
properties.  There  are  two  commonly  used  implementations  of  this  interface,  called  derivability 
and  admissibility.  In  a  sense,  derivability  is  the  least  (initial)  consequence  relation,  whereas 
admissibility  is  the  greatest  (final)  one. 

Derivability  To  warm  up,  we  illustrate  these  ideas  for  a  logic  specified  by  a  collection  of  first- 
order  inference  rules,  which  we  will  now  write  in  a  linear  notation  as  J  <—  ./,.....  ./„.  The 
derivability  hypothetical  judgement  is  defined  inductively  to  be  the  least  relation  closed  under 
the  following  rules: 


J  <—  Ji, . . . ,  Jn  is  a  rule  T  b  Ji  . . .  T  b  Jn 
r,u:J,r\-  j  u  r  b  j 

This  definition  generates  the  following  induction  principle: 

For  all  predicates  P(T,  J),  if 

•  P(T,  J )  whenever  u:  J  G  T 

•  for  all  rules  J  Ji, . . . ,  Jn,  if  P(T,  Jf)  and  . . .  and  P(T,  Jn)  then  P(T,  J ) 
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then  for  all  T  and  J,  if  T  F  J,  then  P{V,  J ). 

It  is  simple  to  see  that  this  definition  of  derivability  defines  a  hypothetical  judgement:  identity  is 
taken  as  a  rule,  and  the  remaining  properties  can  be  proved  by  induction. 

Derivability,  as  specified  by  this  inductive  definition,  is  a  very  restricted  notion  of  entailment: 
all  you  can  do  with  an  assumption  is  to  slot  it  in  at  the  leaf  of  a  derivation  tree.  A  consequence 
is  that  derivability  is  open-ended  with  respect  to  future  extensions  of  the  logic:  if  V  b  J  with  a 
particular  collection  of  inference  rules,  then  the  entailment  holds  in  any  larger  set  of  inference 
rules.  A  particularly  illustrative  case  is  a  derivability  false  h  J,  where  false  is  a  judgement  with 
no  inference  rules  concluding  it.  Derivability  does  not  satisfy  the  principle  of  explosion,  which 
states  that  false  entails  any  judgement  J:  there  is  no  way  to  slot  in  an  assumption  of  false  at  a  leaf 
of  a  derivation  tree  to  prove  J  (unless  J  happens  to  explicitly  include  an  inference  rule  allowing 
this). 


Admissibility  Our  second  notion  of  consequence,  admissibility,  does  not  share  this  open-ended 
character.  An  admissibility  T  N  J  is  proved  by  giving  any  function  that,  for  all  proofs  of  every 
assumption  in  T,  delivers  a  proof  of  J .  These  functions  are  drawn  from  the  meta-logic,  the 
ambient  logic  in  which  we  describe  inference  rules.  For  example,  when  working  on  paper  it  is 
common  to  take  the  meta-logic  to  be  set  theory.  At  this  point,  we  do  not  specify  the  meta-logic 
precisely,  but  we  do  assume  that  a  meta-logic  function  may  be  defined  by  induction  on  the  proofs 
of  the  derivability  judgement.  We  also  assume  that  the  meta-logic  functions  satisfy  the  structural 
properties,  so  that  admissibility  does. 

Admissibility  has  many  uses.  For  example,  in  sequent  calculus,  the  proof  rules  are  typically 
defined  so  that  cut  (the  rule  that  allows  the  use  of  lemmas)  is  not  derivable,  but,  crucially,  is 
admissible:  Cut-free  sequent  calculi  guide  the  implementation  of  proof  search  and  make  certain 
meta-theoretic  properties,  such  as  consistency,  obvious.  On  the  other  hand,  a  logic  does  not  make 
sense  unless  proofs  can  in  some  sense  be  substituted  for  assumptions.  Thus,  it  is  typical  not  to 
include  cut  as  an  inference  rule,  but  to  prove  that  all  instances  of  it  hold.  This  theorem  can  be 
phrased  as  an  admissibility,  and  proved  by  induction  on  derivations: 

{A  left  h  C  right),  A  right  1=  C  right 


The  judgements  A  left  and  A  right  represent  the  side  of  the  sequent  on  which  a  proposition  is 
located  (Pfenning, [1994).  Note  that  cut  is  stated  as  a  higher-order  admissibility,  in  the  sense  that 
one  of  the  assumptions  is  itself  a  derivability. 

It  is  also  useful,  if  less  common,  to  use  admissibility  in  the  premises  of  inference  rules.  For 
instance,  admissibility  can  be  used  to  negate  a  judgement  J,  by  writing  J  N  false.  As  an  example, 
consider  a  rule  from  the  operational  semantics  of  a  language  with  mutable  state: 


h  =  h  F  false  lookup  (MJi)  =  v 
lookup(M[/2  i — *  _],  l\)  =  v 


When  the  memory  is  M  extended  with  location  l2  pointing  to  some  value,  and  f  is  not  equal  to 
Z2,  the  result  of  lookup  is  the  result  of  looking  l\  up  in  M.  If  the  memory  may  contain  duplicate 
bindings  of  a  location,  the  disequality  is  necessary  to  ensure  determinism  of  the  operational 
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semantics.  Such  negated  judgements  are  often  written  as  informal  side  conditions  on  inference 
rules;  with  admissibility,  they  can  be  expressed  as  honest  premises. 

Another  well-known  example  uses  the  admissibility  generic  judgement,  which  we  will  write 
x  :  r  N  J.  Such  an  admissibility  is  witnessed  by  a  meta-logic  universal  quantifier.  This  notion 
underlies  the  a; -rule  for  natural  numbers  (Hilbert[[l93i[) 

t :  nat  P{ 0)  true  P{  1)  true  .  .  . 

P(t)  true 

This  rule  states  that  to  prove  P(t)  it  suffices  to  show  P(0),  P(l),  and  so  on — the  rule  has  in¬ 
finitely  many  premises.  This  can  be  represented  by  an  admissibility  judgement: 

t :  nat  n  :  nat  1=  P(n) 

P(t)  true 

A  witness  for  the  second  premise  is  a  function  that  assigns  each  natural  number  n  to  a  proof  of 
P(n),  which  formalizes  the  ellipsis  above.  We  will  see  additional  uses  of  admissibility  premises 
in  the  formulation  of  logic  described  in  Chapter  [6} 

From  a  programming  point  of  view,  admissibility  corresponds  to  computing  with  logics.  For 
example,  a  function  which  translates  one  logic  to  another,  or  implements  a  theorem  prover,  can 
be  represented  using  t=  and  programmed  using  functions  that  recursively  transform  syntax  and 
derivations. 

Relationship  between  derivability  and  admissibility.  Every  derivability  implies  an  admissi¬ 
bility,  but  not  vice  verse.  Assuming  T  h  J,  we  prove  T  N  J  by  giving  a  function  from  closed 
derivations  of  V  to  closed  derivations  of  J.  But  this  is  exactly  the  substitution  property  for  K 
Thus,  we  say  that  every  derivability  determines  an  admissibility  by  substitution.  On  the  other 
hand,  returning  to  the  example  above,  admissibility  does  satisfy  explosion:  the  trivial  function 
with  no  cases  witnesses  false  1=  J .  This  is,  of  course,  not  stable  under  extension  of  the  logic, 
because  if  we  add  an  inference  rule  concluding  false,  the  admissibility  will  no  longer  be  valid. 
This  shows  that  not  every  admissibility  is  also  a  derivability. 

More  generally,  we  define  a  class  of  consequence  relations  T  — >  A  such  that 

•  — ►  is  structural :  it  satisfies  identity,  weakening,  exchange,  contraction,  and  substitution 

•  — >  is  closed :  T  — >  J  if  there  is  a  rule  J  <—  T 

•  — >  is  complete ,  in  the  sense  that  it  does  not  add  any  theorems  relative  to  derivability:  if 
■  — >  J  then  •  h  J . 

Next,  we  order  consequence  relations  by  containment:  —><—>'  iff  for  all  F,./,  F  — >  J 
implies  T  — >'  J. 

The  following  theorem  shows  that  derivability  and  admissibility  are  the  least  and  greatest 
consequence  relations: 

Proposition  2.1.1.  For  all  h  <  — >  <  k 

Proof.  For  the  first  inequality,  we  can  interpret  the  inference  rules  using  structurality  and  closure 
under  the  rules.  For  the  second,  given  T  — >  J  and  a  closed  derivation  of  ■  F  T,  we  must  create  a 


2.1.  LOGICAL  FRAMEWORKS 


11 


closed  derivation  of  •  b  J.  By  minimality  of  h,  •  — >  T.  Then  we  can  use  the  structural  properties 
to  conclude  ■  — >  A,  which  gives  •  h  A  by  completeness.  □ 


2.1.5  Higher-order  Inductive  Definitions 

Our  warm-up  definition  of  the  derivability  judgement  above  covered  only  first-order  inference 
rules  of  the  form  J  <—  -f  However,  in  the  examples,  we  used  derivability  and  admissi¬ 

bility  in  the  premises  of  inference  rules.  When  do  such  premises  make  sense? 


Admissibility  premises  Admissibilities  may  be  problematic,  as  a  rule  like 

J  1=  false 
J 

does  not  induce  a  monotone  operator:  Consider  building  up  the  collection  of  proofs  in  stages, 
ranked  by  their  size.  At  the  first  stage,  J  is  vacuously  true,  so  the  premise  holds.  But  then,  at  the 
second  stage,  J  has  a  proof,  so  this  proof  is  no  longer  valid!  Thus,  not  all  inference  rules  with 
admissibility  premises  give  rise  to  an  inductive  definition.  However,  a  rule  such  as 

J  h  false 
K 


is  permissible  if  J  is  in  some  sense  defined  prior  to  K:  then  it  is  permissible  to  inductively 
analyze  the  proofs  of  J  in  the  definition  of  K.  An  example  is  the  lookup  rule  given  above, 
where  equality  of  locations  can  be  defined  prior  to  lookup.  This  observation  is  formalized  in 
Martin-Lof’s  theory  of  iterated  inductive  definitions  (Martin-Lofj  1971 )  and  the  notion  of  strati¬ 
fication  (jChan|jT9S8j). 


Derivability  premises  On  the  other  hand,  derivability  can  always  be  used  in  the  premise  of 
an  inference  rule.  Intuitively,  this  is  because  derivability  is  such  a  restricted  notion  of  conse¬ 
quence  that  it  does  not  circumscribe  its  assumptions.  Thus,  it  is  unproblematic  to  use  derivability 
assumptions  of  a  judgement  in  its  own  definition.  We  can  formalize  this  by  reducing  infer¬ 
ence  rules  with  derivability  premises  to  first-order  inductive  definitions.  That  is,  we  specify, 
using  first-order  inductive  definitions,  a  formalism  that  allows  inference  rules  with  derivability 
premises.  These  second-order  inference  rules  have  the  form  J  <—  (Ti  h  J\ ), . . . ,  (Tri  h  Jn). 
Second-order  derivability  is  defined  as  follows: 

J  <—  I-  J\), . . . ,  (T„  h  Jn)  is  arule  T,  Ty  h  ,7j  ...  T,Tn\- Jn 

r,rj,r'hj  tkj 

For  example,  Dl  would  be  represented  as  a  rule 

Ad  B  true  <—  ( A  true  h  B  true). 

which,  when  plugged  into  the  above  schema,  yields  the  usual  implication  introduction  rule. 
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When  we  allow  only  first-order  inference  rules,  as  above,  the  definition  of  derivability  is 
parametrized  by  a  context  F:  for  each  context  F.  there  is  an  inductive  definition  of  the  judgement 
T  h  — .  However,  it  is  indexed  by  the  judgement  J:  the  definition  of  T  b  J  refers  to  F  b  ./'  for 
different  J' ,  so  the  entire  family  of  inductive  definitions  must  be  defined  simultaneously.  When 
we  consider  second-order  rules,  T  becomes  an  index  as  well:  the  definition  of  F  b  J  refers  to 
r'  b  J'  for  different  F7  and  J'fl 

Thus,  the  induction  principle  must  be  contextualized,  in  the  sense  that  it  simultaneously 
proves  a  property  of  derivations  in  different  contexts: 


Definition  2.1.2:  Induction  principle  for  second-order  rules.  For  all  predicates 
P(T;J),  if 

•  P(T ;  J )  whenever  u  :  J  €  T 

•  for  all  rules  J  <—  (Fi  b  Ji), . . . ,  (Tn  b  Jn),  if  P(T,  T i;  Ji)  and  . . .  and  P(T,  Tn;  Jn)  then 


P(r;J) 

then  for  all  T  and  J,  if  F  b  ,7,  then  P(T ;  J). 

Rules  of  the  form  J  <—  (Ti  b  Ji), . . . ,  (rn  b  Jn)  are  local :  they  specify  only  the  additions  to 
the  context  in  each  premise.  Consequently,  such  rules  are  pure  (Avron,  1991):  they  apply  equally 


well  in  any  context.  Because  all  rules  are  pure,  second-order  derivability  can  be  proved  structural 
generically,  independent  of  the  particular  inference  rules. 

Alternatively,  one  might  consider  rules  written  in  a  global  notation,  which  allow  arbitrary 
constraints  on  the  context.  Such  rules  may  be  impure,  in  the  sense  that  they  may  not  apply 
in  all  contexts,  which  may  invalidate  the  structural  properties.  An  example  of  such  a  rule  is  ! 
introduction  in  linear  logic  (jGirard,  1987),  which  applies  only  in  a  context  made  up  entirely  of 
assumptions  of  the  form  l  A : 

\T  b  A  true 
!r  HA  true 


As  a  consequence  of  this  rule  (among  others),  linear  logic  does  not  satisfy  weakening. 

Global  rules  are  not  the  only  source  of  impurity:  admissibility  premises  also  may  introduce 
impurity,  as  they  allow  rules  to  inspect  the  ambient  context.  For  example,  consider  a  rule  of  the 
form  J  <—  (K  b  false).  Then  J  may  be  provable  in  a  context  F,  if  it  happens  that  it  is  impossible 
to  prove  K  from  T.  However,  this  derivation  cannot  be  weakened  to  the  context  (F,  K),  in 
which  K  is  provable  by  identity!  The  study  of  the  impurities  arising  from  admissibility  is  one 
contribution  of  this  thesis. 

Thus  far,  we  have  been  informal  about  the  representation  of  T  and  the  names  of  assumptions. 
However,  we  would  like  an  inference  rule  formalism  that  allows  general,  in  addition  to  hypothet¬ 
ical,  judgements,  in  inference  rule  premises — where,  in  F,;  b  J*,  the  assumptions  in  F,  may  occur 
in  J.  Thus,  a  context  extension  T,  T,  must  ensure  that  the  assumption  names  in  F  do  not  clash 
with  those  in  F,;.  On  paper,  it  is  common  to  work  with  the  following  interface:  In  an  inference 
rule,  the  assumption  names  in  F,  are  treated  as  a  binding  site,  and  in  induction,  these  assumption 
names  can  be  tacitly  a-converted — e.g.  P(T,  u  :  J;  A')  is  the  same  as  P(r,  v  :  J;  [v/u\K).  Thus, 
when  proving  that  P(r,  F;: ./, )  implies  P(T ;  J),  one  never  runs  into  a  situation  where  the  premise 

'Though  both  are  indices,  there  is  folklore  terminology  for  a  further  distinction  between  T  and  J:  T  is  a  “Protes¬ 
tant”  index,  which  means  that  it  varies  only  in  premises,  but  is  fully  general  in  the  conclusion  of  each  rule.  On  the 
other  hand,  J  is  a  “Catholic”  index,  which  means  that  it  may  be  specialized  in  the  conclusion  of  rules  (like  Dl). 
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or  conclusion  has  the  “wrong”  assumption  names.  We  call  this  induction  modulo  a-conversion. 
However,  it  takes  some  care  to  provide  this  interface  in  a  proof  assistant,  as  we  now  discuss. 


2.1.6  Logical  Frameworks 

The  formalisms  for  first-order  inductive  definitions,  derivability,  and  second-order  derivability 
defined  above  are  examples  of  logical  frameworks :  a  logical  framework  is  a  meta-logic  that 
makes  it  convenient  to  specify  and  reason  about  logics.  For  example,  the  formalism  for  second- 
order  derivability  permits  one  to  represent  a  logic  by  inference  rules,  and  reason  about  it  by 
induction-mod-Q:.  The  framework  provides  operations,  such  as  the  structural  properties,  generi- 
cally  for  all  logics  thus  represented.  While  logical  frameworks  are  helpful  when  reasoning  infor¬ 
mally  on  paper,  they  are  especially  useful  for  mechanized  reasoning  on  a  computer,  because  one 
cannot  be  sloppy  about  details.  In  this  section,  we  review  the  support  for  inductive  definitions, 
derivability,  and  admissibility  in  existing  logical  frameworks. 

Many  logical  frameworks  are  based  on  type  theory,  and  in  particular  dependent  type  theory. 
In  such  frameworks,  base  judgements  are  represented  as  type  families.  For  example,  the  judge¬ 
ment  A  true  is  represented  by  a  type  family  true  :  prop  — >  type,  where  the  type  true  A  classifies 
derivation  trees  witnessing  A  true. 

Next,  the  notions  of  derivability  and  admissibility  are  represented  as  function  types.  For 
admissibility,  this  representation  should  be  unsurprising:  an  admissibility  J  1=  K  is  witnessed  by 
a  meta-logic  function  from  derivations  of  J  to  derivations  of  K. 

For  derivability,  we  view  a  proof  from  assumptions  as  a  term  with  free  variables.  An  open 
term  with  a  designated  free  variable  determines  a  function  (and  therefore  an  admissibility)  by 
substitution.  For  example,  a  deduction 

, - u 

A  true 

B  true 


is  represented  by  a  term  V  with  free  variable  u.  This  determines  a  function  Xu.'D.  that,  when 
applied  to  a  derivation  S,  returns  the  substitution  instance  \£/u\'D.  Such  functions  are  often 
called  parametric  or  schematic  or  uniform,  as  they  simply  slot  their  argument  in  for  the  variable, 
without  analyzing  them. 

The  term  higher-order  abstract  syntax  (Church[  1940}  Harper  et  al.[  1993 ;  Pfenning  and  El- 


liott[  1988 1  has  historically  been  used  to  refer  to  the  representation  of  derivability  using  functions 


of  a  logical  framework,  though  the  term  has  sometimes  also  been  used  to  refer  to  representing 
admissibility  using  functions  of  a  logical  framework  (Zeilberger  2008b).  In  this  thesis,  we  will 
use  the  term  to  refer  to  derivability,  unless  it  is  qualified  to  indicate  otherwise. 

Next,  we  overview  the  support  for  derivabilities  and  admissibilities  in  various  logical  frame¬ 
works. 


Church’s  theory  of  types 

The  use  of  functions  to  represent  derivability  dates  back  to  Church’s  definition  of  higher-order 
logic  in  his  theory  of  types  ()Church[[l940[).  The  relevant  aspects  for  our  purposes  are:  Base  types 
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are  used  to  represent  syntax,  such  as  a  type  i  for  individuals  and  o  for  propositions.  Functions  of 
the  type  theory  are  used  to  represent  variable  binding;  e.g.  the  universal  quantifier  is  represented 
by  a  constant  all  :  (i  — >  o)  — >  o.  Why  should  — >  be  read  as  derivability,  not  admissibility?  The 
reason  is  that  base  judgements  are  represented  as  uninterpreted  base  types,  and  there  are  no  rules 
for  deconstructing  base  types.  Thus,  the  function  space  of  the  type  theory  allows  only  schematic 
or  uniform  use  of  assumptions,  not  inductive  analysis  of  them.  So  the  type  theory  can  been  seen 
as  a  meta-logic  with  support  for  derivability  but  not  admissibility. 


LF 


This  representation  style  was  extended  to  judgements  in  the  LF  logical  framework  (Harper  et  al. 


1993),  which  uses  a  dependent,  rather  than  simple,  type  theory  as  a  representation  language. 
With  a  dependently  typed  framework,  one  can  represent  not  just  syntax  (i  and  o)  but  also  judge¬ 
ments  ( A  true)  and  derivations.  Judgements  are  still  represented  using  indexed  base  types,  so 
the  LF  function  space  A  — >  B  represents  derivability,  not  admissibility.  Moreover,  the  LF  de¬ 
pendent  function  space  U  x : A.  B  represents  generic  judgements.  However,  there  is  no  notion  of 
admissibility  internal  to  the  LF  type  theory. 

Instead,  admissibility  is  handled  by  defining  a  separate  meta-logic  for  reasoning  about  LF 
terms.  In  this  meta-logic,  the  terms  of  LF  (and  in  particular  the  canonical  forms,  or  T-normal 
r]- long  terms)  are  specified  by  an  inductive  definition,  so  one  can  induct  over  canonical  forms, 
just  as  we  inducted  over  derivations  of  second-order  derivability  above.  This  observation  is  ex¬ 
ploited  in  two  parts  of  the  LF  methodology:  This  first  is  in  proving  adequacy — that  the  formal 
representation  of  a  logic  in  LF  is  isomorphic  to  the  informal  representation  written  on  paper. 
The  second  is  in  proving  “meta-theorems”  about  LF  representations  of  logics.  In  our  terminol¬ 
ogy,  these  metatheorems  correspond  to  admissibilities.  Various  systems  built  around  LF,  such  as 
Twelf  (Pfenning  and  SchurmaTfnj  1999),  Delphin  (Poswolsky  and  Schiirmann,  2008),  and  Bel¬ 
uga  (Pientka,  2008),  formalize  a  such  a  meta-language,  permitting  machine-checked  proofs  of 
meta- theorems.  However,  the  downside  of  this  approach  is  that  one  cannot  use  admissibility  in 
LF  representations,  which  precludes  some  of  the  examples  described  above. 

Schiirmann  et  al.  (2001|)  describe  a  different  approach  to  integrating  admissibility.  In  their 
language,  a  modal  type  HA  classifies  closed  terms  of  type  A  and  is  eliminated  by  primitive  re¬ 
cursion;  [Despeyroux  and  Leleu  (1999)  describe  a  generalization  with  dependent  types.  Unlike 
the  LF-based  approaches  described  above,  these  languages  are  not  syntactically  stratified  into 
separate  representational  and  computational  parts.  Instead,  they  reuse  the  same  arrow  for  deriv¬ 
ability  (e.g.,  a  function  A  — >  B  where  A  and  B  do  not  include  □,  is  used  for  representation)  and 
admissibility  (e.g.,  a  function  DA  —>  B  can  decompose  A  by  primitive  recursion).  However, 
these  languages  do  not  permit  admissibility  functions  such  as  DA  — >  B  in  datatype  definitions. 


Martin-Lof  Type  Theory 

Dependent  types  are  also  the  basis  for  a  variety  of  proof  assistants/programming  languages  based 
on  Martin-Lof  type  theory  (|Martin-L6f||1975|),  such  as  NuPRL  ([Constable  et  al.[[T986l),  Coq  (|Coq| 
Development  Team]  2009),  Epigram  (|McBride  and  McKinna  2004|),  Agda  (Norell[|2007|),  De¬ 
pendent  ML  (|Xi  and  Pfenning[|l999),  Omega  (Sheard  2004),  and  ATS  (Xi ,  2003).  We  will  refer 
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to  these,  especially  the  mostly-pure  languages  like  NuPRL,  Coq,  Epigram,  and  Agda,  as  MLTT s. 
MLTTs  provide  a  richer  collection  of  types  than  LF,  such  as  inductively  defined  datatypes  and  in¬ 
dexed  families  of  datatypes  (Dybjcr  1991 ).  Thus,  a  base  judgement  (such  as  true  :  prop  — >  type) 
can  be  represented  either  as  an  inductive  type  or  as  a  base  type. 

When  syntax  and  judgements  are  represented  as  inductive  types,  the  function  space  of  the 
theory  represents  admissibility,  not  derivability:  a  function  J  — >  K  may  case-analyze  or  induct 
on  the  proof  of  J.  Thus,  one  can  straightforwardly  encode  inference  rules  with  admissibilities  as 
premises  using  iterated  inductive  definitions  (Martin-Lof  197 1|),  or  datatypes  with  higher-order 
premises.  For  example,  the  cu-rule  is  represented  as  follows  (using  Agda  notation,  but  being 
informal  about  the  representation  of  variables): 


data  true  :  Prop  ->  Set  where 
omega  :  (  (n  :  Nat)  ->  (A  [  n  /  x  ])  true  ) 
->  (all  x.A)  true 


In  Agda  notation,  naming  the  type  family  _true  allows  it  to  be  used  post-fix.  The  constructor 
omega  says  that,  given  a  function  that  maps  each  natural  number  n  to  a  proof  of  A[n/x],  we  can 
conclude  allx.A.  Because  Nat  is  an  inductive  type,  such  a  function  may  be  defined  by  recursion. 

On  the  other  hand,  we  are  cheating  by  assuming  this  notation  for  variables  and  substitution: 
when  syntax  and  judgements  are  represented  as  inductive  types,  MFTTs  do  not  provide  any  built- 
in  support  for  derivability.  For  example,  if  we  try  to  represent  syntax  using  MFTT  functions  as 
follows: 

data  Indiv  :  Set  where 


data  Prop  :  Set  where 
all  :  (Indiv  ->  Prop)  ->•  Prop 


then  Indiv  ->  Prop  represents  admissibility,  not  derivability.  In  the  literature,  such  representations 
are  often  said  to  have  a  problem  with  “exotic  terms”  (Despeyroux  et  al.,  1995 ) — elements  of  the 
function  space  that  do  not  correspond  to  the  desired  syntax.  This  is  true  if  the  desired  syntax  is 
in  fact  derivability.  However,  if  the  desired  syntax  is  admissibility,  then  the  exotic  terms  are  not 
exotic  at  all,  but  exactly  what  you  want.  That  is,  there  is  nothing  wrong  with  using  admissibility 
in  syntax;  it  is  simply  a  different  notion  than  derivability.  For  example,  the  above  use  of  admissi¬ 
bility  defines  a  syntax  of  propositions  with  induction  over  individuals.  The  same  idea  is  exploited 
in  Zeilberger’s  higher-order  focusing  (Zeilbergerj  2008ajb  2009j),  which  is  “higher-order”  in  this 
admissibility  sense.  These  higher-order  representations  facilitate  simple  proofs  of  cut  elimination 
for  logics  with  inductive  types,  using  iterated  inductive  definitions  in  the  meta-logic. 

As  discussed  above,  admissibility  requires  an  iteration/stratification  condition,  which  pre¬ 
cludes  putting  a  judgement  to  the  left  of  an  admissibility  in  its  own  definition.  For  example,  we 
might  try  to  extend  the  above  logic  with  a  second-order  quantifier,  represented  by  a  new  datatype 
constructor  all2  :  (Prop  ->  Prop)  ->  Prop.  However,  this  constructor  is  rejected  by  the  positivity 
checker  of  a  system  like  Agda,  which  checks  stratification.  Naively  extending  a  type  theory  with 
general  (non-stratified)  recursive  types  permits  the  definition  of  non-terminating  terms  of  every 


16 


CHAPTER  2.  BACKGROUND 


type,  which  makes  the  type  theory  inconsistent  as  a  logic.  In  the  literature,  this  is  often  referred 
to  as  a  problem  with  “negative  occurrences”  of  a  type  in  its  own  definition.  While  these  negative 
occurrences  rule  out  certain  uses  of  admissibility,  it  is  important  to  realize  that  they  are  not  a 
problem  for  derivability — as  argued  above,  there  is  no  problem  putting  a  judgement  to  the  left 
of  a  derivability  in  its  own  definition.  Thus,  claims  that  “higher-order  abstract  syntax”  (meaning 
derivability)  runs  into  problems  with  negative  occurrences  are  predicated  on  a  confusion  be¬ 
tween  derivability  and  admissibility.  Similarly,  claims  that  “you  cannot  induct  over  higher-order 
abstract  syntax”  apply  to  admissibility,  but  not  to  derivability — one  can  perfectly  well  induct  over 
derivability,  e.g.  using  the  induction  principle  for  second-order  derivability  described  above. 


Higher-order  approaches  to  derivability  An  alternative  to  representing  base  judgements  as 
inductive  types  is  to  represent  them  as  base  types  (as  in  an  LF  representation).  Then  the  func¬ 
tion  space  of  the  type  theory  represents  derivability,  not  admissibility.  For  example,  one  could 
represent  propositions  by  parametrizing  over  the  following  variables: 

Indiv  :  Set 
Prop  :  Set 

all  :  (Indiv  ->•  Prop)  ->  Prop 
all2  :  (Prop  ->■  Prop)  ->•  Prop 


There  is  no  requirement  for  stratification  if  Prop  is  a  base  type.  However,  this  representation 
affords  no  support  whatsoever  for  admissibility  within  MLTT.  Most  of  the  time,  one  represents 
a  logic  in  a  proof  assistant  not  just  to  reason  in  the  logic,  but  also  to  reason  about  it — to  prove 
theorems  or  to  write  recursive  functions. 

The  need  for  admissibility  leads  to  an  interesting  twist  on  the  above  representation,  called 


weak  higher-order  abstract  syntax  (Despeyroux  et  ah  1995 ):  replace  the  occurrence  of  Prop  on 


the  left  of  the  arrow  by  a  base  type  PropVar,  and  let  occurrences  on  the  right  of  an  arrow  refer 
to  an  inductive  type.  Then  functions  PropVar  ->  C  represent  derivability,  but  functions  Prop  ->•  C 
represent  admissibility.  However,  WHOAS  runs  into  some  problems  as  well:  First  of  all,  because 
the  type  on  the  left  is  different  than  the  type  on  the  right,  it  is  necessary  to  define  substitution  ex¬ 
plicitly.  Moreover,  many  recursive  functions  over  syntax,  including  substitution,  require  testing 
the  equality  of  variables.  However,  as  soon  as  you  add,  e.g.,  varEq  :  PropVar  ->  PropVar  Bool, 
the  function  space  PropVar  ->  C  no  longer  corresponds  to  derivability,  as  it  allows  a  form  of  in¬ 
trospection  of  variables. 


Several  solutions  to  this  problem  have  been  considered:  The  first  (Despeyroux  et  al.  1995 ) 
is  to  allow  a  meta-language  type  PropVar  ->  C  that  is  too  broad,  and  then  isolate  the  subset  of 
such  functions  that  represent  derivabilities  using  a  predicate  valid.  However,  the  proof  of  valid 
follows  the  structure  of  a  term  exactly.  Thus,  writing  down  a  function  /  and  its  validity  proof 
amounts  to  writing  both  a  higher-order  and  first-order  representation  of  the  same  term.  Thus,  this 
representation  is  only  tenable  in  a  system  with  enough  proof  automation  that  these  obligations 
can  be  discharged  automatically. 

A  second  solution,  taken  in  the  theory  of  contexts  (Bucalo  et  al.,  2006  Miculan[  2001 ),  is 
to  avoid  adding  any  operations  that  would  create  exotic  terms,  while  supporting  admissibility  by 
postulating  various  operations  on  syntax.  For  example,  decidability  of  variables  is  postulated  at  a 
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separate  propositional  level  only,  so  that  it  cannot  be  used  to  define  in  a  function.  Other  postulates 
include  the  existence  of  a  variable  that  does  not  occur  in  a  given  term,  and  recursion/induction 
principles  that  fix  the  meaning  of  PropVar  ->•  Prop.  A  downside  of  this  approach  is  that  it  requires 
an  extension  of  MLTT  with  these  postulates  as  axioms.  Moreover,  the  operational  semantics  of 
these  axioms  (e.g.  the  computational  behavior  of  a  recursor)  can  be  given  only  by  proofs  of 
propositional  equations,  not  as  part  of  the  definitional  equality  of  the  type  theory. 


A  third  solution,  called  parametric  higher-order  abstract  syntax  (Chlipalaf  2008),  involves 
mediating  between  an  abstract  and  concrete  type  of  variables.  Rather  than  fixing  PropVar  to  be  a 
single  base  type,  quantified  at  the  outside  of  the  program,  one  sometimes  chooses  PropVar  to  be 
a  type  variable,  and  sometimes  instantiates  it  concretely,  using  polymorphic  quantification  over 
types.  To  accomplish  this,  the  datatype  of  propositions  is  parametrized  by  the  type  of  proposi¬ 
tion  variables,  and  in  a  polymorphic  term  of  type  Va.Prop(cr)  the  functions  a  ->•  Prop  must  be 
uniform,  representing  derivability.  But  when  programming  with  such  terms,  the  quantifier  can  be 
instantiated  by  a  concrete  type,  e.g.  nat,  so  that  variables  can  be  compared  for  equality.  However, 
working  with  PHOAS  terms  is  somewhat  idiosyncratic.  For  example,  proving  the  correctness  of  a 
translation  from  PHOAS  to  a  well-scoped  first-order  representation  requires  parametricity  prop¬ 
erties  of  the  meta-logic,  which  no  current  implementations  of  MLTT  provide  (alternatively,  one 
can  translate  PHOAS  terms  equipped  with  a  separate  proof  of  well-formedness,  but  that  proof  is 
similar  to  a  first-order  representation). 


One  weakness  of  these  three  approaches  is  that  they  do  not  provide  the  contextualized  induc¬ 
tion  principles  described  above,  which  permits  proving  a  context-indexed  family  of  properties 
P(T,  J )  about  a  derivation  of  T  h  J.  This  is  because  these  approaches  identify  the  object-logic 
context  with  the  meta-logic  context,  so  the  proof  of  a  meta-theorem  is  “inside”  an  object  logic 
context  T,  and  thus  cannot  talk  about  the  entire  context  explicitly.  This  situation  is  similar  to  two 
of  the  LF-based  systems,  Twelf  and  Delphin,  but  different  than  Beluga.  In  Twelf  and  Delphin, 
context  invariants  (e.g.  “every  term  variable  has  an  associated  typing  derivation”)  can  be  main¬ 
tained  without  mentioning  the  context  explicitly — in  Twelf  using  the  %worlds  declaration,  and 
in  Delphin  using  functions  from  a  type  of  variables.  The  latter  approach  could  be  used  with 
WHOAS,  but  not  in  the  theory  of  contexts  (defining  the  functions  require  case-analysis  on  vari¬ 
ables).  In  PHOAS,  one  way  to  maintain  such  invariants  is  by  instantiating  the  type  of  variables 
appropriately.  However,  some  theorems  require  a  more  detailed  statement  about  the  context, 
which  does  not  simply  associate  some  invariant  with  each  variable  in  isolation.  For  example, 
when  proving  a  substitution  theorem  for  first-order  logic,  the  assumptions  to  the  left  of  the  vari¬ 
able  being  substituted  for  remain  unchanged,  whereas  the  assumptions  to  its  right  are  substituted 
into.  One  approach  to  proving  such  theorems,  which  has  been  used  in  Twelf,  is  to  define  an 
alternative  representation  where  contexts  are  explicit,  and  to  mediate  between  this  and  the  usual 
representation  (|Crary[  12008]) . 


Another  problem  with  these  three  approaches  is  that  it  is  unclear  how  well  they  scale  to 
assumptions  of  order  greater  than  two.  For  example,  in  the  theory  of  contexts,  one  adds  an  in¬ 
duction  principle  for  PropVar  — >  Prop,  allowing  inductive  analysis  of  such  functions.  However, 
this  means  that  a  function  of  type  (PropVar  — >  Prop)  — >  Prop  corresponds  to  admissibility, 
not  derivability.  One  could  imagine  considering  a  base  type  PropVarFn  representing  derivability 
assumptions  of  such  functions,  but  this  has,  to  our  knowledge,  not  been  worked  out. 
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These  three  solutions  show  that  it  is  possible  to  model  derivability  using  the  function  space 
of  MLTT,  but  either  with  some  proof  overheads  (for  WHOAS)  or  by  adopting  a  somewhat  id¬ 
iosyncratic  programming  model  (in  the  the  theory  of  contexts  or  PHOAS).  In  any  case,  these 
approaches  do  not  provide  direct  support  for  explicit  reasoning  about  contexts,  or  for  higher- 
order  assumptions. 


First-order  approaches  to  derivability  An  alternative  to  modeling  derivability  as  MLTT  func¬ 
tions  with  a  particular  domain  type  is  to  model  it  using  first-order  means.  To  do  so,  it  is  necessary 
to  choose  a  representation  for  contexts  and  variables. 

Named  form.  The  most  basic  representation  is  to  use  explicit  names:  a  binding  site,  in  a 
context  or  in  a  term,  is  represented  as  a  pair  of  a  a  name  (e.g.  a  string)  and  a  judgement  (e.g. 
T,  (”«” ,  /ltrue)),  and  variables  are  represented  by  occurrences  of  the  same  name.  The  advantages 
of  this  representation  are  that  it  is  easy  to  write  down  terms,  and  that  it  matches  informal  practice. 

A  problem  is  that  it  requires  quotienting  by  a-convcrsion,  so  that  judgements  that  differ  only  by 
the  names  of  assumptions  are  considered  equal.  Quotient  types  are  not  very  well  supported  in 
existing  proof  assistants,  and  in  informal  practice  it  is  common  to  elide  the  proofs  that  operations 
respect  a-cquivalcncc. 

de  Bruijn  indices.  A  second  possibility  is  to  represent  contexts  as  lists  of  judgements  (T,  /ltrue), 
and  represent  variables  as  indices  into  a  list  T.  This  representation  is  known  as  de  Bruijn  in¬ 
dices  (de  Bruijn,  1972).  This  gives  unique  representations  of  cr-equivalence  classes,  but  makes 
terms  somewhat  difficult  to  write  down  and  work  with,  because  the  de  Bruijn  indices  are  harder 
to  write  and  read  than  names.  Another  disadvantage  of  de  Bruijn  indices  is  that  weakening  and 
exchange  modify  a  term,  as  they  must  replace  one  index  with  another.  A  third  problem  is  that 
terms  may  contain  dangling  free  variables,  which  do  not  correspond  to  any  variable  in  scope. 

This  last  problem  can  be  solved  by  using  well-scoped  de  Bruijn  indices  (Altenkirch  and  Reus, 


1999;  Bellegarde  and  Hook  1994|  Bird  and  Paterson  [  1999):  representing  terms  as  a  dependent 


type  indexed  by  the  context,  so  that  dangling  indices  are  ruled  out  by  typing.  For  example: 


data 

_e_ 

:  Prop  ->  Ctx  -»•  Set  where 

iO  : 

u 

'-V-' 

> 

A} 

-5-  A  G 

(A  ::  T) 

iS 

:  V  {T 

A  B} 

-+  A  G 

r 

->  A  e 

(B  ::  r) 

data 

h 

:  Ctx  ->  Prop  ->•  Set  where 

id  : 

:  V  {T 

A} 

■+ A  e 

r 

4Th 

A 

Dl 

:V{r 

'A} 

-(A:: 

:  T)  h  B 

^Th 

(ADB) 

We  represent  variables  by  a  type  A  e  T,  which  is  a  unary  number  indexed  by  a  context  and  a 
proposition  being  judged  to  be  in  that  context.  Next,  we  represent  derivability  by  a  type  family 
h  indexed  by  a  context  T  and  a  proposition  being  judged  true  in  T.  The  rules  for  this  type  family 
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consist  of  identity  id,  as  well  as  the  inference  rules  for  each  connective.  The  representation  is 
isomorphic  to  the  intended  on-paper  definition  of  derivability,  and  gives  you  direct  access  to  the 
appropriate  contextualized  induction  principle.  However,  while  the  indexing  makes  the  de  Bruijn 
indices  somewhat  easier  to  manage  (many  incorrect  manipulations  of  them  are  type  errors),  it  is 
still  less  convenient  than  names. 

Locally/globally  named/nameless.  Another  possibility  is  to  distinguish  bound  variables  (ref¬ 
erences  to  a  binding  site  in  a  term)  from  free  variables  (references  to  a  binding  site  in  a  context), 
and  to  use  a  different  representation  for  each  (Aydermr  et  al.[  2008 1  McKinna  and  Pollack  1999 ). 
A  common  choice  is  locally  nameless,  which  uses  de  Bruijn  indices  for  bound  variables  but 
names  for  free  variables,  though  different  permutations  of  {locally, globally}  {named,  nameless} 
have  been  considered.  In  general,  an  advantage  of  distinguishing  bound  and  free  variables  is  that 
substitution  need  not  worry  about  capture :  when  substituting  [M /x]N,  it  is  necessary  to  ensure 
that  the  free  variables  in  M  do  not  collide  with  the  bound  variables  in  M,  which  would  cause 
those  variables  to  refer  to  the  wrong  binding  site.  If  bound  and  free  variables  are  differentiated, 
then  a  free  variable  can  never  refer  to  a  binding  site  in  a  term.  However,  the  cost  of  this  repre¬ 
sentation  is  that,  when  traversing  a  binder,  it  is  necessary  to  open  the  term,  replacing  the  bound 
variable  with  a  free  variable. 

Regarding  locally  nameless  /  globally  named  specifically,  one  advantage  relative  to  de  Bruijn 
is  that  weakening  and  exchange  of  free  variables  do  not  change  the  term.  However,  while  locally 
nameless  gives  unique  representatives  of  cr -equivalence  classes  of  bound  variables,  it  does  not 
immediately  allow  horizontal  a-conversion  of  judgements.  To  ensure  that  judgements  can  be 
o-con verted,  some  care  is  required  when  writing  inference  rules.  For  example,  in  rules  that 
introduce  assumptions,  it  is  common  to  mediate  between  existential  and  universal  quantification 
over  fresh  variables: 

there  exists  u  T  such  that  T,  u  :  A  true  h  B  true  for  all  u  T,  T,  u  :  A  true  h  B  true 


T  h  A  D  B  true 


T  h  A  D  B  true 


The  existential  rule  is  easier  to  introduce,  because  it  requires  only  that  one  show  the  premise 
for  a  particular  fresh  variable.  However,  it  is  harder  to  reason  from,  because  one  only  knows 
the  premise  for  some  fresh  variable,  and  in  some  proofs,  this  fresh  variable  might  need  to  be 
matched  up  with  another  fresh  variable  introduced  elsewhere.  On  the  other  hand,  the  universal 
rule  is  harder  to  introduce,  but  easier  to  reason  from,  because  the  inductive  hypothesis  will  give 
the  premise  for  all  fresh  variables.  One  technique  for  using  locally  nameless  involves  mediating 
between  these  two  rules:  for  example,  one  might  define  the  system  with  the  universal  rule,  but 


then  prove,  using  a  notion  of  permutation  of  variable  names  as  in  nominal  logic  (Pitts  2003),  that 
the  existential  rule  is  admissible — if  the  premise  holds  for  some  fresh  variable,  then  it  holds  for 


all  of  them.  Another  technique  is  to  use  cofinite  quantification  ( Aydemir  et  al.  2008 ),  which  uses 
a  universal  quantifier,  but  rather  than  demanding  that  the  variable  be  fresh  for  T,  one  demands 
that  it  be  fresh  for  some  existentially  quantified  set  L.  This  technique  sometimes  avoids  the  need 
to  prove  the  existential  rule  admissible. 

A  disadvantage  of  these  techniques  that  distinguish  bound  and  free  variables  is  that,  unlike 
well-scoped  de  Bruijn  indices,  the  scoping  of  free  variables  is  not  represented  intrinsically  in  a 
term’s  type.  For  example,  a  locally  nameless  syntax  will  be  typically  have  a  term  constructor 
fvar  :  Name  A  ->  Term  A  allowing  a  term  to  be  constructed  from  a  name.  However,  this  provides 
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no  information  about  which  names  may  appear  in  a  term.  Moreover,  as  soon  as  you  try  to  index 
Term  by  a  context  of  free  variables,  and  check  that  all  names  are  in  this  context,  you  end  up  back 
at  a  de  Bruijn  representation,  because  the  proof  that  a  name  is  in  a  context  is  exactly  a  de  Bruijn 
index.  Thus,  locally  nameless  works  best  in  a  proof  assistant  with  good  support  for  automation, 
where  a  Term  T  A  can  be  represented  as  a  Term  A  paired  with  a  separate  proof  that  all  of  its 
free  variables  are  in  T,  and  these  proof  obligations  can  be  discharged  automatically  by  the  proof 
assistant. 

Structural  properties.  A  disadvantage  of  all  of  these  first-order  representations,  when  used 
directly,  is  that  the  structural  properties  must  be  proved  for  each  datatype.  It  would  be  nicer  to 
instead  have  a  logical  framework  that  guarantees  that  the  structural  properties  hold.  Several 
tools,  Ott  (|Sewell  et  al.[  |2007|),  Lambda  Tamer  (jChlipala]  |2007|),  and  LNGen  (|Aydemir  and 
Weirichj  |2010),  provide  frameworks  for  writing  down  definitions  of  syntax  with  binding,  and 


provide  generic  implementations  of  the  structural  properties.  However,  a  disadvantage  of  these 
approaches  is  that  they  are  external  to  the  type  theory,  implemented  as  tactics  or  stand-alone 
tools.  A  second  disadvantage  is  that  the  notion  of  datatype  with  binding  does  not  allow  full 
exploitation  of  the  host  language — for  example,  they  do  not  allow  admissibility  functions  of  the 
host  language  to  be  used  in  syntax. 


Another  approach  to  presenting  the  structural  properties,  taken  in  Hybrid  (Ambler  et  al. 


|2002][Capretta  and  Felty[[2007||Momigliano  et  al.[|2007[)  and|Barzilay  and  Allen|(|2002]);|Hickey 


|et  al.|(|2006l)’s  work,  is  to  define  derivability  using  an  underlying  de  Bruijn  representation,  but 
then  to  present  a  higher-order  interface  to  it,  using  the  admissibility  functions  of  the  host  theory. 
As  with  WHOAS,  this  involves  defining  a  predicate  that  identifies  the  subset  of  Prop  ->•  Prop 
functions  that  corresponds  to  derivability — those  that,  when  applied,  act  like  substitution  into 
some  de  Bruijn  term.  Like  WHOAS,  this  approach  also  requires  managing  some  proof  obliga¬ 
tions  that  are  external  to  a  term.  However,  it  improves  on  WHOAS  by  providing  substitution,  in 
addition  to  weakening,  contraction,  and  exchange,  as  function  application. 


Logic  Programming 

The  integration  of  derivability  and  admissibility  has  also  been  studied  in  the  context  of  logic 
programming,  as  opposed  to  functional  programming  (|Gacek  et  al. ,  2008]  |Miller  and  Tiu]  |2003[). 
Unlike  LF,  their  approach  distinguishes  terms  (the  subjects  of  propositions)  from  propositions. 
The  term  level  is  a  higher-order  A-calculus,  in  which  derivability  can  be  represented  using  higher- 
order  abstract  syntax.  The  propositional  level  includes  two  quantifiers,  \/x.A  and  SJx.A,  corre¬ 
sponding  to  admissibility  and  a  notion  of  derivability,  respectively  (the  exact  structural  properties 
that  V  satisfies  differ  in  different  treatments  of  the  connective).  This  allows  admissibility  and 
derivability  generic  judgements  to  be  mixed  at  the  propositional  level,  but  not  in  terms.  Like 
Twelf  and  Delphin,  but  unlike  Beluga,  in  admissibilities  the  object-language  context  is  identified 
with  the  generic  judgement  assumptions  in  the  meta-language  context. 

Another  logic  programming  idea  that  is  relevant  to  the  present  work  is  definitional  reflec¬ 
tion  (Hallnhs}  1991]  Schroeder-Heister  1993|),  which  supposes  a  database  of  rules  used  for  both 
building  proofs  of  propositional  atoms  and  for  deriving  consequences  of  atoms  by  “reflection” 
(i.e.,  by  inverting  the  rules).  Through  the  Curry-Howard  interpretation,  the  rule  database  corre¬ 
sponds  to  a  database  of  datatype  constructors,  which  can  be  used  both  to  build  datatype  values 


2.1.  LOGICAL  FRAMEWORKS 


21 


and  to  define  functions  by  pattern-matching.  Derivability  can  be  thought  of  as  an  extension 
of  definitional  reflection  which  permits  this  database  of  rules  to  vary,  by  introducing  a  scoped 
datatype  constructor. 

Functional  Programming 


Miller  (11990)  describes  an  early  account  of  mixing  derivability  and  admissibility.  This  takes  the 
form  of  an  extension  to  ML  with  a  new  type  'a  =>  '  b  representing  a  term  of  type  '  b  with 
abstracted  parameter  '  a,  as  well  as  a  restricted  form  of  higher-order  pattern-matching.  In  this 
proposal,  the  domain  '  a  must  be  not  only  an  equality  type,  but  also  a  user-defined  datatype, 
since  the  meanings  of  base  types  such  as  int  or  string  should  not  be  open-ended.  This 
restriction  corresponds  to  separating  out  a  class  of  base  judgements  that  may  be  hypothesized,  a 
technique  we  will  borrow  in  Chapter  [5}  Moreover,  the  codomain  '  b  must  be  an  equality  type, 
which  precludes  making  a  derivability  assumption  in  an  admissibility  (as  ML  functions  are  not 
equality  types) — this  avoids  many  of  the  complications  that  we  will  address  below. 


Nominal  Logic 


Nominal  logic  (|Gabbay[  |2010^  Pitts.  |2003|)  is  another  technique  used  to  represent  derivability 
judgements.  However,  nominal  logic  is  both  more  general  than  and  not  necessary  to  represent 
derivability.  Gabbay  explains  nominal  logic  as  follows  (jGabbay  2010): 

If  there  is  a  single  idea  behind  nominal  techniques,  it  is  to  let  names  inhabit  a  de¬ 
notation  directly  as  a  form  of  data  . . .  That  is,  the  ’x’  in  A x.r,  \/x.cp,  fx  f(x)dx,  and 
vx.P  has  an  independent  denotational  reality.  This  x  is,  in  a  mathematical  sense  that 
we  will  make  formal,  a  ‘real  thing’:  a  name. 

Nominal  logic  studies  names  as  nouns,  which  have  meaning  independent  of  any  scope.  On 
the  other  hand,  derivability  assumptions  are  pronouns  that  serve  only  as  a  reference  to  a  binding 
site.  It  is  possible  to  implement  derivability  using  the  names  of  nominal  logic,  in  the  same 
way  that  it  is  possible  to  implement  a  named  representation  from  scratch — except  the  nominal 
framework  provides  notions  of  name  permutation  and  o-cquivalcncc,  which  simplifies  the  task 
considerably.  However,  it  is  not  necessary  to  think  of  derivability  in  this  way,  any  more  than  it 
is  necessary  to  think  of  it  in  terms  of  de  Bruijn  indices.  Thus,  we  view  nominal  logic  as  one 
potential  implementation  technique  for  derivability.  That  said,  nominal  logic  is  more  general 
than  derivability,  and  the  notion  of  a  name  as  a  real  thing  is  sometimes  useful.  For  example, 
memory  locations  in  an  operational  semantics  for  a  language  with  state  can  be  fruitfully  modeled 
as  names. 

In  one  respect,  names  are  easier  to  integrate  with  admissibility  than  derivability  is:  in  nominal 
languages  such  as  FreshML  (Shinwell  et  al.]  [2003}),  the  type  of  names  is  kept  open-ended  (it  is 
considered  to  have  infinitely  many  inhabitants).  Thus,  any  admissibility  function  on  syntax  with 
binding  must  account  for  arbitrarily  many  names,  and  is  therefore  weakenable.  However,  many 
functions  on  syntax  are  only  defined  for  certain  classes  of  contexts  (e.g.,  only  closed  arithmetic 
expressions  can  be  evaluated  to  a  numeral),  and  the  nominal  approach  does  not  allow  these 
invariants  to  be  expressed  in  a  program’s  type. 
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However,  in  another  respect,  names  are  more  difficult  to  integrate  with  admissibility:  when 
names  are  things,  it  takes  some  work  to  ensure  that  admissibility  functions  respect  o-cquivalcncc. 


There  are  several  approaches  to  this  problem.  Static  approaches,  such  as  the  type  system  in  Pitts 


and  Gabbay  (|2000j)  and  and  the  specification  logic  in  Pure  FreshML  (Pottier,[2007 )  use  machin¬ 


ery  for  ensuring  that  certain  names  are  fresh  with  respect  to  (roughly  “not  free  in”)  certain  com¬ 


putations.  Using  this  machinery,  one  can  state  and  prove  a  freshness  condition  for  binders  (Pitts 


2006)  for  each  function  definition,  demonstrating  that  the  bound  variables  are  fresh  for  the  the 


result.  Pitts  and  Gabbay  (|2000j)  employ  a  conservative  freshness  analysis  to  discharge  these  con¬ 
ditions.  Pottier  (|2007[)  describes  a  specification  logic  in  which  these  conditions  can  be  proved.  A 
dynamic  approach,  proposed  by  Shinwell  et  al.j(20Q3|),  exploits  an  effectful  operational  seman¬ 
tics  to  ensure  that  the  conditions  cannot  be  violated. 


2.2  Agda 

We  briefly  review  Agda’s  syntax,  referring  the  reader  to  the  Agda  Wiki  (http :/ /wiki . 
portal .  chalmers  .  se/ agda/). 


Dependent  functions  Dependent  function  types  are  written  as  (x  :  A)  ->  B.  An  implicit 
dependent  function  space  is  written  {x  :  A}  ^  B  or  V  {x}  ->  B.  Arguments  to  implicit 
functions  are  inferred  by  default.  They  can  also  be  explicitly  instantiated  positionally  by  writing 
f  {  a  }  or  by  name  by  writing  f  {x  =  a  }.  Non-dependent  functions  are  written  A  -a  B. 

Anonymous  functions  are  written  Ax^e.  Named  functions  are  defined  clausally  by  pattern 
matching: 

append  :  {A  :  Set}  -a  List  A  -a  List  A  -a  List  A 
append  []  ys  =  ys 

append  (x  ::  xs)  ys  =  x  ::  (append  xs  ys) 

Let  bindings  are  written  as  let  x  =  el  ...  in  e. 


Infix  and  Mixfix  Operators  Infix  operators  are  declared  with  underscores: 

-I — |-  :  { A  :  Set}  >  List  A  >  List  A  >  List  A 

11  ++  12  =  append  11  12 

Mixfix  operators  are  also  allowed;  e.g.  a  function  if  then  else  can  be  used  as  if  e  then  el  else  e2. 


Predicative  Hierarchy  Set  is  the  classifier  of  classifiers  in  Agda.  Set  is  a  synonym  for  Set  Z, 
where  Z  :  Level  is  a  universe  level.  Sets  are  stratified  into  universe  for  size  reasons,  to  avoid 
Set  :  Set.  Agda  supports  explicit  universe  polymorphism  using  quantification  over  Level. 
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Inductive  Types  Inductive  types  are  defined  by  a  datatype  notation: 

data  List  {I  :  Level}  (a  :  Set  I)  :  Set  I  where 
[]  :  List  a 

:  a  ->  List  a  ->  List  a 

Non-uniform  inductive  families  are  allowed.  For  example,  dependent  de  Bruijn  indices  are 
represented  as  follows: 

data  _G_  (A  :  Set}  :  A  ->  List  A  ->  Set  where 

iO  :  (x  :  A}  {xs  :  List  A}  ->  x  G  (x  ::  xs) 

iS  :  (x  y  :  A}  (xs  :  List  A}  -»  y  G  xs  -»  y  G  (x  ::  xs) 

For  any  Set  A,  and  terms  x  and  xs  of  type  A  and  List  A,  there  is  a  type  x  G  xs.  The  first 

constructor,  iO,  creates  a  proof  of  x  G  (x  ::  xs) — i.e.  x  is  the  first  element  of  the  list.  The  second 
constructor  iS,  creates  a  proof  of  x  G  (y  ::  xs)  from  a  proof  that  x  is  in  the  tail. 

As  a  simple  example  of  dependent  pattern  matching,  we  define  an  n-ary  version  of  iS: 

skip  :  (A  :  Set}  (xs  :  List  A)  (ys  :  List  A}  (y  :  A} 

->  y  G  ys  ->  y  G  (append  xs  ys) 
skip  []  i  =  i 

skip  (x  ::  xs)  i  =  iS  (skip  xs  i) 

The  fact  that  this  code  type-checks  depends  on  the  computational  behavior  of  append;  e.g.,  in 
the  first  case,  the  expression  append  []  ys  reduces  to  ys,  so  we  can  return  the  index  i  unchanged. 

Many  basic  type  constructors  can  be  defined  as  datatypes:  we  write  Either  A  B  for  sums, 
Bool  for  booleans,  Void  for  the  empty  type,  SAB,  where  A  :  Set  and  B  :  A  ->  Set,  for 
dependent  pairs,  and  A  x  B  for  non-dependent  pairs. 

Agda  allows  overloading  of  datatype  constructors  between  different  types.  As  a  convention, 
we  overload  >  and  ►  for  injections  from  one  type  to  another. 


Intensional  Equality  Intensional  equality  can  be  defined  by  a  datatype 

data  Id  (I  :  Level}  (A  :  Set  1}  :  A  ->  A  ->  Set  I  where 
Ref  I  :  (a  :  A}  ->  Idaa 

This  notion  of  equality  is  propositionally  proof-irrelevant:  we  can  prove  that  any  two  terms 
of  type  Id  x  y  are  themselves  Id.  It  is  not  functionally  extensional,  in  the  sense  that  one  cannot 
prove 


ext  :  ((x  :  A)  ->  Id  (fx)  (g  x))  ->  Idfg 


It  is  common  to  postulate  this  as  an  axiom,  though. 
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Universes  A  universe  is  specified  by  an  inductive  datatype  of  codes  for  types,  along  with  a 
function  mapping  each  code  to  a  Set.  For  example,  a  simple  universe  with  an  empty  type,  a  unit 
type,  and  binary  products  is  specified  as  follows: 

data  Type  :  Set  where 
‘0  :  Type 
‘1  :  Type 

_8_  :  Type  -»  Type  ->  Type 

Element  :  Type  ->  Set 
Element1!)  =  Void 
Element1].  =  Unit 

Element  (r  1  (8)  t2)  =  (Element  rl)  x  (Element  r2) 

In  the  right-hand  side  of  Element,  we  write  Ax  B  for  the  Agda  pair  type,  etc. 

Datatype-generic  programs  are  implemented  by  recursion  over  the  codes;  e.g,  every  element 
of  the  universe  can  be  converted  to  a  string: 

show  :  (r  :  Type)  ->  Element  r  ->  String 
show‘0  () 

showT  <>  =  "<>" 
show  (rl  8)  r2)  (el.  e2)  = 

"<  "  ++  (show  rl  el)  ++  "  ,  "  ++  (show  r2  e2)  ++  "  >" 

In  the  first  clause,  the  empty  parentheses  are  a  refutation  pattern,  telling  Agda  to  check  that  the 
type  in  question  (in  this  case  Element'O)  is  uninhabited,  and  allowing  the  programmer  to  elide 
the  right-hand  side. 

As  another  example,  we  will  often  view  booleans  as  a  two-element  universe,  with  only  True 
inhabited: 

data  Bool  :  Set  where 
True  :  Bool 
False  :  Bool 

Check  :  Bool  — >  Set 
Check  True  =  Unit 
Check  False  =  Void 

Because  Agda  implements  extensionality  for  Unit  (there  is  only  one  record  with  no  fields),  terms 
of  type  Check  True  can  be  left  implicit  and  inferred. 

With  The  with  construct  allows  a  new  column  to  be  added  to  a  pattern-matching  function 
definition.  This  has  two  uses:  the  first  is  simple  subsidiary  case  analysis,  which  would  be  written 
with  case  in  ML  or  Haskell.  For  example: 
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forgetMaybe  :  {A  :  Set}{B  :  A  ->  Set}  ->  ((x  :  A)  ->  Maybe  (B  x))  ->  (A  ->  Bool) 
forgetMaybe  f  x  with  f  x 
...  j  Some  _  =  True 
...  |  None  =  False 

The  second  is  that,  in  a  dependently  typed  language,  subsidiary  case-analysis  can  refine  the  type 
of  previous  arguments.  For  example: 

extract-forgotten  :  (A  :  Set}  (B  :  A  -»  Set} 

->  (f  :  (x  :  A)  ->  Maybe  (B  x)) 

->  (x  :  A)  ->  Check  (forgetMaybe  f  x)  ->  (B  x) 
extract-forgotten  f  x  p  with  f  x 

|  Some  b  =  b 

extract-forgotten _ ()  j  None 

In  the  second  clause,  once  f  x  is  known  to  be  None,  forgetMaybe  computes  to  False,  and  thus  the 
type  of  p  computes  to  Void.  Thus,  we  can  pattern-match  on  p  with  an  absurd  pattern  (),  which 
indicates  to  Agda  that  the  type  in  question  is  uninhabited. 
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Chapter  3 

Security-Typed  Programming 


The  example  described  in  this  chapter  was  developed  jointly  with  Jamie  Morgenstern,  and  pub¬ 


lished  at  ICFP  2010  ( Morgenstern  and  Licata  2010). 


Security-typed  programming  languages  allow  programmers  to  specify  and  enforce  security 
policies,  which  describe  both  access  control — who  is  permitted  to  access  sensitive  resources? — 
and  information  flow — what  are  they  permitted  to  do  with  these  resources  once  they  get  them? 


Aura  (Jia  et  al.,  2008)  and  PCML5  (Avijit  et  al.,  2010)  enforce  access  control  using  dependently 


typed  proof-carrying  authorization  (PCA):  the  run-time  system  requires  every  access  to  a  sen¬ 
sitive  resource  be  accompanied  by  a  proof  of  authorization  (Appel  and  Fcltcn,  11999]),  while  the 
type  system  aids  programmers  in  constructing  correct  proofs.  Fable  (Swamy  et  al(j  |2008j)  and 
Jif  (Chong  et  al. ,  2009)  enforce  information  flow  properties  using  type  systems  that  restrict  the 


use  of  values  that  depend  on  private  information.  Fine  (Swamy  et  al.  2010)  combines  these  tech¬ 
niques  to  enforce  both.  These  languages’  type  systems  employ  a  number  of  advanced  techniques, 
such  as  dependently  typed  authorization  proofs,  indexed  monads  of  computations  at  a  place  and 
on  behalf  of  a  principal  (Avijit  and  Harper,  2007 ),  information  flow  types,  and  affine  types  for 
ephemeral  security  policies. 

In  this  chapter,  we  show  that  security-typed  programming  can  be  embedded  within  a  general- 
purpose  dependently  typed  programming  language,  Agda.  We  implement  a  library,  Aglet,  which 
accounts  for  the  major  features  of  existing  security-typed  programming  languages,  such  as  Aura, 
PCML5,  and  Fine: 

Decentralized  Access  Control:  Access  control  policies  are  expressed  as  propositions  in  an 
authorization  logic,  Garg  and  Pfenning’s  BL0  (jGarg[|2009bj).  This  permits  decentralized  access 
control  policies,  expressed  as  the  aggregate  of  statements  made  by  different  principals  about  the 
resources  they  control.  In  our  embedding,  we  represent  BL0’s  propositions  and  proofs  using 
dependent  types,  and  exploit  Agda’s  type  checker  to  validate  the  correctness  of  proofs. 

Dependently  Typed  PCA:  Primitives  that  access  resources,  such  as  file  system  operations, 
require  programmers  to  provide  a  proof  of  authorization,  which  is  guaranteed  by  the  type  system 
to  be  a  well-formed  proof  of  the  correct  proposition. 

Ephemeral  and  Dynamic  Policies:  Whether  or  not  one  may  access  a  resource  is  often  depen¬ 
dent  upon  the  state  of  a  system.  For  example,  in  a  conference  management  server,  authors  may 
submit  a  paper,  but  only  before  the  submission  deadline.  Fine  accounts  for  ephemeral  policies 
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using  a  technique  called  affine  types,  which  requires  a  substructural  notion  of  variables.  Be¬ 
cause  Agda  does  not  currently  provide  substructurality,  we  show  that  one  can  instead  account 
for  ephemeral  policies  using  an  indexed  monad.  Following  Hoare  Type  Theory  (Nanevski  et  al., 


2008),  we  define  a  type  Q  T  A  T',  which  represents  a  computation  that,  given  precondition 


T,  returns  a  value  of  type  A,  with  postcondition  T' .  Here,  T  and  T'  are  propositions  from  the 
authorization  logic,  describing  the  state  of  resources  in  the  system.  For  example,  consider  the 
operation  in  a  conference  management  server  that  closes  submissions  and  begins  reviewing.  We 
represent  this  by  a  computation  of  type 
O  (InPhase  Submission)  Unit  (InPhase  Reviewing) 

Given  the  conference  is  in  phase  Submission,  this  computation  returns  a  value  of  type  Unit, 
and  the  state  of  the  conference  has  been  changed  to  Reviewing.  For  comparison  between 
the  approaches,  we  adapt  Fine’s  conference  management  example  to  our  indexed  monad.  Aglet 
also  permits  dynamic  acquisition  and  generation  of  policies — e.g.,  generating  a  policy  based  on 
reading  the  state  of  the  conference  management  server  from  a  database  on  startup. 

Authentication:  Following  previous  work  by  Avijit  and  Harper  (2007 ),  we  model  authenti¬ 
cation  with  an  indexed  monad  of  computation  on  behalf  of  a  principal,  which  tracks  the  currently 
authenticated  user.  This  monad  is  equipped  with  a  sudo  operation  for  switching  users,  given 
appropriate  credentials.  We  show  that  computation  on  behalf  of  a  principal  is  a  special  case  of 
our  policy-indexed  monad  O  T  AT' . 

Spatial  distribution:  We  also  show  that  our  policy-indexed  monad  can  be  used  to  model 
spatial  distribution  as  in  PCML5. 

Information  Flow:  Information  flow  policies  constrain  the  use  of  values  based  on  what  went 
into  computing  them,  e.g.  tainting  user  input  to  avoid  SQL  injection  attacks.  We  represent 
information  flow  using  well-established  techniques,  such  as  indexed  monads  [Russo  et  al.  (2008 ) 
and  applicative  functors  (|Swamy  et  al.[|2010]). 

Compile-time  and  Run-time  Theorem  Proving:  Dependently  typed  PCA  admits  a  sliding 
scale  between  static  and  dynamic  verification.  At  the  static  end,  one  can  verify,  at  compile-time, 
that  a  program  complies  with  a  statically-given  authorization  policy.  This  verification  consists  of 
annotating  each  access  to  a  resource  with  an  authorization  proof,  whose  correctness  is  ensured 
by  type  checking.  However,  in  many  programs,  the  policy  is  not  known  at  compile  time — e.g., 
the  policy  may  depend  upon  a  system’s  state.  Such  programs  may  dynamically  test  whether  each 
operation  is  permitted  before  performing  it,  in  which  case  dependently  typed  PCA  ensures  that 
the  correct  dynamic  checks  are  made  and  that  failure  cases  are  handled.  A  program  may  also  mix 
static  and  dynamic  verification:  for  example,  a  program  may  dynamically  check  that  an  expected 
policy  is  in  effect,  and  then,  in  the  scope  of  that  check,  deduce  consequences  statically.  Security- 
typed  languages  use  theorem  provers  to  reduce  the  burden  of  static  proofs  (as  in  Fine)  and  to 
implement  dynamic  checks  (as  in  PCML5).  We  have  implemented  a  certified  theorem  prover  for 
BL0,  based  on  a  focused  sequent  calculus.  Our  theorem  prover  can  be  run  at  compile-time  and  at 
run-time,  fulfilling  both  of  these  roles.  The  theorem  prover  also  saves  programmers  from  having 
to  understand  the  details  of  the  authorization  logic,  as  they  often  do  not  need  to  write  proofs 
manually. 

In  Section [3Tj  we  show  a  variety  of  examples  adapted  from  the  literature,  which  demonstrate 
that  Aglet  accounts  for  programming  in  the  style  of  Aura,  PCML5,  and  Fine.  In  Section  |T2|  we 
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Admin  says  (Vr.Vo.V/. 

(HR  says  employee(r) 

A  System  says  owns(o,  /) 

A  o  says  mayread (r, /)) 

D  mayread (r, /)) 

System  says  owns(Jamie, secret.txt) 

HR  says  employee(Dan) 

HR  says  employee(Jamie) 

Jamie  says  mayread(Dan,  secret.txt) 

Jamie  says  mayread(Jamie,  secret.txt) 

Figure  3.1:  Sample  access  control  policy 

describe  the  implementation  of  Aglet,  including  the  representation  of  the  logic  and  the  imple¬ 
mentation  of  the  theorem  proven  We  discuss  related  work  on  security-typed  programming  in 
Section  1331 


3.1  Examples 

In  this  section,  we  show  that  Aglet  supports  security-typed  programming  in  the  style  of  Aura, 
PCML5,  and  Fine  by  implementing  a  number  of  the  benchmark  examples  considered  in  the 
literature. 


3.1.1  File  IO  with  Access  Control 


First,  we  show  a  dependently  typed  file  system  interface,  a  standard  example  of  security  typed 
programming  (|Avijit  and  Harper[ |2007^ |Swamy  et  al.[ |201Cty | Vaughan  et  al.[ |2008|) . 


Policy 

To  begin,  we  specify  an  authorization  policy  for  file  system  operations  in  BL0  (Figure [371]):  First, 
the  principal  Admin  says  that  for  any  reader,  owner,  and  file,  if  human  resources  says  the  reader  is 
an  employee,  and  the  system  administrator  says  the  owner  owns  the  file,  and  the  owner  says  the 
reader  may  read  a  file,  then  the  reader  may  read  the  file.  Admin  is  a  distinguished  principal  whose 
statements  will  be  used  to  govern  file  system  operations.  Second,  the  system  administrator  says 
Jamie  owns  secret.txt.  Third,  human  resources  says  both  Dan  and  Jamie  are  employees.  Fourth, 
Jamie  says  Dan  and  Jamie  may  read  the  file.  This  policy  illustrates  decentralized  access  control 
using  the  Isaysl  modality:  the  policy  is  the  aggregate  of  statements  by  different  principals  about 
resources  they  control. 

For  the  principal  Dan  to  read  secret.txt,  it  will  be  sufficient  to  deduce  the  goal 


Admin  says  mayread  (Dan,  secret.txt) 
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This  proposition  is  provable  from  the  above  policy  because  of  three  properties  of  says  :  First, 
says  is  closed  under  instantiation  of  universal  quantifiers  (that  is,  k  says  \/x.A(x)  entails  Cx.k  says 
A(x)).  Second,  says  distributes  over  implications  ( k  says  ( A  D  B)  entails  {(k  says  A)  D 
(k  says  B )).  Third,  every  principal  believes  that  every  statement  of  every  other  principal  has 
been  made  (/c  says  A  entails  k'  says  ( k  says  A)) — though  it  is  not  the  case  that  every  principal 
believes  that  every  statement  of  every  other  principal  is  true.  Thus,  the  goal  can  be  proved  by 
using  the  first  clause  of  the  policy  (Admin  says  . . .),  instantiating  the  quantifiers,  and  using  the 
other  statements  in  the  policy  to  satisfy  the  preconditions. 

In  Agda,  we  represent  this  first  clause  as  the  first  element  of  the  following  context  (list  of 
propositions): 

Tpolicy  = 

(►  Prin  "Admin"  says 

(Ve  principal  •  Ve  principal  •  Ve  filename  • 
let  owner  =  t>  (iS  (iS  iO)) 
reader  =  >  (iS  iO) 
file  =  >  iO  in 

(((►  Prin  "HR"  says  (a-  (Employee  •  reader))) 

A  (►  Prin  "System"  says  (a-  (Owner  ■  (owner, file)))) 

A  (owner  says  (a-  (Mayread  •  (reader,  file))))) 

Z> 

(a-  (Mayread  •  (reader, file))))))  :: 

(►  Prin  "Admin"  says 
(Ve  principal  ■ 

Ve  filename  • 

(►  Prin  "System"  says  (a-  (Owner  ■  (>  iS  iO, >  iO)))) 

D 

(a-  (MayChown  •  (>  iS  i0,>  iO)))))  :: 

[] 


The  second  element  of  the  list  expresses  an  additional  policy  clause,  not  discussed  above,  which 
states  that  an  owner  of  a  file  may  change  its  ownership.  Variables  are  represented  as  de  Bruijn 
indices  (iO,  iS),  constants  are  represented  as  injections  of  strings  (i.e.  Admin  is  written  as 
►  Prin  "Admin",  where  Prin  makes  a  constant  out  of  a  string,  and  ►  makes  a  term  out  of 
a  constant),  and  atomic  propositions  are  tagged  with  a  polarity  (a+  or  a-),  which  can  be  thought 
of  as  a  hint  to  the  theorem  proven  Quantifiers  are  written  Ve  r  ■  A,  where  r  is  the  domain  of 
quantification  and  A  is  the  body  of  the  quantifier.  (Here  Ve  is  the  name  of  the  quantifier,  with 
the  e  standing  for  explicit — the  type  r  is  given  as  an  explicit  argument.)  Atomic  propositions  are 


written  p  ■  t,  where  p  is  a  proposition  constant  such  as  Mayread  and  t  is  a  term  (see  Section  3.2. 1 
for  details). 

Next,  we  define  a  context  representing  a  particular  file  system  state.  This  context  includes 
all  the  employee,  ownership,  and  may-read  facts  mentioned  above,  with  one  additional  clause 
saying  that  Dan  may  su  as  Jamie. 
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Estate  = 

(►  Prin  "System"  says 

(a-  (Owner  ■  (►  Prin  "Jamie",  ►  File  "secret-txt")))) 

::  (►  Prin  "HR"  says  (a-  (Employee  •  (►  Prin  "Dan")))) 

::  (►  Prin  "HR"  says  (a-  (Employee  •  (►  Prin  "Jamie")))) 

::  (►  Prin  "Jamie"  says 

(a-  (Mayread  ■  (►  Prin  "Dan">  File  "secret-txt")))) 

::  (►  Prin  "Jamie"  says 

(a-  (Mayread  ■  (►  Prin  "Jamie",  ►  File  "secret-txt")))) 
::  (►  Prin  "Admin"  says 

(a-  (MaySu  ■  (►  Prin  "Dan">  Prin  "Jamie")))) 

Tall  =  Tpolicy  TE  Estate 

Finally,  we  let  Tall  stand  for  the  append  of  Y policy  and  Estate. 


Compile-time  Theorem  Proving 


We  now  explain  the  use  of  our  theorem  prover: 

goal  =  a-  (Mayread  •  (►  Prin  "Dan",^  File  "secret-txt")) 

proof?  :  Maybe  (Proof  Tall  goal) 
proof?  =  prove  15 

theProof  :  Proof  Tall  goal 
theProof  =  solve  proof? 


The  term  proof?  sets  up  acall  to  the  theorem  prover,  attempting  to  prove  mayread(Dan,  secret.txt) 
using  the  policy  specified  by  rail.  Sequent  calculus  proofs  are  represented  by  an  Agda  type  fam¬ 
ily  (0;  A;T;k)  h  A,  where  Q  binds  individual  variables,  A  is  a  context  of  claims  assumptions, 
T  is  context  of  truth  assumptions,  and  k,  the  view,  is  a  principal  from  whose  point  of  view  the 
judgement  is  made.  Informally,  the  role  of  the  view  is  that,  in  a  sequent  whose  view  is  k,  k  says  A 
entails  A;  see  Section  3.2.1  for  details  about  the  logic.  In  this  example,  and  A  will  always  be 
empty,  Y  will  represent  a  policy,  as  above,  and  the  view  k  will  be  Prin  "Admin  " — we  abbreviate 
such  a  sequent  by  Proof  Y  A.  The  context  and  proposition  arguments  to  prove  can  be  inferred  by 
Agda,  and  so  are  left  as  implicit  arguments.  The  term  theProof  checks  that  the  theorem  prover 
succeeds  at  compile-time  in  this  instance.  The  function  solve  has  type: 


solve  :  V  {A}  (s  :  Maybe  A)  ->  {p  :  Check  (isSome  s)}  ->■  A 

The  argument  p,  of  type  Check  (isSome  s),  is  a  proof  that  s  is  equal  to  Some  s’  for  some 
s’.  Because  this  argument  is  implicit,  Agda  will  attempt  to  fill  it  in  by  unification,  which  will 
succeed  when  s  is  definitionally  equal  to  a  term  of  the  form  Some  s’.  In  this  example,  the  call  to 
the  theorem  prover  in  the  term  proof?  proves  the  goal,  computing  definitionally  to  Some  s’  for  a 
proof  s’  of  mayread(Dan,  secret.txt).  Thus,  we  can  use  solve  to  extract  this  proof  s’.  In  general, 
a  call  to  the  theorem  prover  on  a  context  and  a  proposition  that  have  no  free  Agda  variables  will 
always  be  equal  to  either  Some  porto  None. 
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O  :  TCtx+  []  ->  (A  :  Set)  (A  ->•  TCtx+  [])  ->  Set 
return  :  V  {T  A}  ->  A  ->  O  r  A  (A  _  ->  T) 

:  v { a  b  r  r’  r” } 

^  (Or  a r’) 

-  ((x  :  A)  -  O  (r  X)  B  r”) 

->  o  r  b  r 

weakenPre  :  V  {A  T  T'  Tn} 

->  (Good  Tn  ->•  Good  T) 

->  o  r  a  r’  ->  r  c  rn  ->  o  rn  a  r 

weakenPost  :  V  {A  T  T’  Tn} 

->  o  r  a  r’ 

->  ((x  :  A)  (rn  x  C  T’  x)) 

->  ((x  :  A)  ->•  (Good  (r'  x)  Good  (rn  x))) 

->  o  r  a  rn 

getLine  :  V  { T }  ->  O  T  String  (A  _  ->  T) 
print  :  V  { T }  ->  String  ->  O  T  Unit  (A  _  ->  T) 
error  :  V{Arr'}->  String  ->  O  T  A  T’ 

acquire  :  V{Arr'}->  (rn  :  TCtx+  []) 

->  (Good  r  ->■  Good  (rn  4f  T)) 

^0(rn  4f  r)  a  r’  ^  o  r  a  r’ 

->  o  r  a  r 


Figure  3.2:  Monadic  10  with  Authorization 


Computations 


We  present  a  monadic  interface  for  file  operations  in  Figures  3.3  and  3.2  This  figure  shows 


both  the  generic  10  operations,  as  well  as  three  file-specific  operations  for  reading,  creating,  and 
changing  the  owner  of  a  file.  The  type  O  T  A  f  represents  a  computation  with  precondition 
T  and  postcondition  T’.  The  Agda  type  of  a  context  is  TCtx+  []  (a  context  of  positive  truth  as¬ 
sumptions,  with  no  free  individual  variables — see  Section  3.2. 1 ).  The  postcondition  is  a  function 
from  A’s  to  contexts,  so  the  postcondition  may  depend  on  the  computation’s  result  (see  create 
below).  The  generic  operations  are  typed  as  follows:  Because  return  is  not  effectful,  its  postcon¬ 
dition  is  its  precondition.  Bind  (>>=)  chains  together  two  computations,  where  the  postcondition 
of  the  first  is  the  precondition  of  the  second.  Both  pre-  and  postconditions  can  be  weakened  to 


larger  and  smaller  contexts,  respectively;  the  Good  predicate  can  be  ignored  until  Section  3.1.1 


below.  Primitives  like  getLine  (reading  a  line  of  input)  and  print  do  not  change  the  state  and  do 
not  require  proofs.  The  postcondition  of  error  is  arbitrary,  as  it  never  terminates  successfully. 
The  remaining  computations  are  defined  as  follows: 
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sudo  :  V  {T  A  T  A  A’}  -►  (kl  k2  :  ) 

->  Replace  (a+  (As  •  kl))  (a+  (As  •  k2))  T  A 
->  ((x  :  A)  ->  Replace  (a+  (As  •  k2))  (a+  (As  ■  kl)) 

(A’  x)  (F  x)) 

->  (Proof  r  (a-  (MaySu  •  (kl,  k2)))) 

-»•  O  A  A  A’ 

-»•  o  r  a  r 

read  :  V  { T }  (k  :  _)  (file  :  _) 

-»  Proof  T  ((a-  (Mayread  •  (k,  file))) 

A  (a+  (As  ■  k))) 

->  O  r  String  (A  _  T) 
create  :  V  { T }  (k  :  _) 

->  Proof  T  (  (a-  (User  ■  k)) 

A  (a+  (As  ■  k))) 

-»•  O  r  String 

(A  new  ->  (►  Prin  "System"  says 
(a-  (Owner  ■  (k,  ►  File  new))))  ::  T) 

chown  :  V  {T  A}  ->  (k  kl  k2  :  _)  ->  (f  :  _) 

->  Replace  (►  Prin  "System"  says  (a-  (Owner  ■  (kl,f)))) 
(►  Prin  "System"  says  (a-  (Owner  •  (k2,f)))) 

T  A 

->  (Proof  T  ((a+  (As  ■  k)) 

A  (a-  (MayChown  ■  (k,  f))))) 

->  Or  Unit  (A  _  ^  A) 


Figure  3.3:  Monadic  File  10  with  Authorization 
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Read  The  function  read  takes  a  principal  k,  a  file  f,  and  a  proof  argument.  The  proof  ensures 
that  the  principal  k  is  authorized  to  access  the  file  (Mayread  (k,  f))  and  that  the  principal  k  is 
the  currently  authenticated  user  (As  (k)).  An  alternate  type  for  read  would  put  these  facts  in 
the  context  T,  rather  than  as  a  separate  proof  argument;  we  do  not  take  this  approach  because, 
as  discussed  below,  T  will  contain  only  atomic  facts  that  are  known  about  the  policy,  and  not 
arbitrary  logical  consequences  of  them.  We  use  the  proposition  As  to  model  computation  on 
behalf  of  a  principal  (Avijit  and  Harperj  2007 [).  The  proof  is  checked  in  the  context  T  that  is  the 
precondition  of  the  computation,  ensuring  that  it  is  valid  in  the  current  state  of  the  world,  read 
delivers  the  contents  of  the  file  and  leaves  the  state  unchanged. 

An  example  call  to  read  looks  like  this: 


Tj  =  Tall  as  "Jamie" 


jread  :  O  H  String  (A  _  ->  Tj) 

jread  =  read  (►  Prin  "Jamie")  (►  File  " secret-txt ") 

(solve  (prove  17)) 

jreadprint  :  O  Tj  Unit  (A  _  -»■  Tj) 
jreadprint  =  jread  :»=  Ax-> 

print  ("the  secret  is:  "  j  x) 

The  function  call  Tall  as  k  is  shorthand  for  adding  the  proposition  As  (k)  to  the  context  Tall.  The 
computation  jread  reads  the  file  secret.txt  as  principal  Jamie;  the  proof  argument  is  supplied  by 
a  call  to  the  theorem  prover,  which  statically  verifies  that  the  required  fact  is  derivable  from  the 
policy  given  by  Tall.  The  computation  jreadprint  reads  the  file  and  then  prints  the  result. 

Create  The  type  of  create  is  similar  to  read,  in  that  it  takes  a  principal  and  a  proof  that  the 
principal  can  create  a  file  (in  this  case,  the  fact  that  the  principal  is  a  registered  user  is  deemed 
sufficient).  It  returns  a  String,  the  name  of  the  created  file,  and  illustrates  why  postconditions 
must  be  allowed  to  depend  on  the  return  value  of  the  computation:  the  postcondition  says  that  the 
principal  is  the  owner  of  the  newly  created  file.  Thus,  after  a  call  to  create  (k),  the  postconditions 
signify  System  says  Owner  (k,  f),  where  f  is  the  name  of  the  new  file. 

Chown  To  specify  chown,  we  use  a  type  Replace  x  y  T  A,  which  means  that  A  is  the  result 
of  replacing  exactly  one  occurrence  of  x  in  T  with  y.  Replace  (whose  definition  is  not  shown)  is 
defined  by  saying  that  (1)  there  is  a  de  Bruijn  index  i  showing  that  x  is  in  T  and  (2)  A  is  equal 
to  the  output  of  the  function  replace  y  i,  which  recurs  on  the  index  i  and  replaces  the  indicated 
element  by  y.  The  type  of  chown  should  be  read  as  follows:  if  the  principal  k  as  whom  the 
computation  is  running  has  the  authority  to  change  the  owner  of  a  file,  and  replacing  owns  (k,  f) 
with  owns  ( k ' ,  f )  in  T  produces  A,  then  we  can  produce  a  computation  which  changes  the  owner 
of  f  from  k  to  k’,  leaving  the  remaining  context  unchanged. 

Next,  we  show  an  example  call  to  chown,  using  a  context  Tstate’  that  is  the  result  of  replacing 
the  fact  that  Jamie  owns  secret.txt  with  Dan  owning  that  file.  The  computation  dchown  runs  as 
Dan;  it  changes  the  owner  of  the  file  from  Dan  to  Jamie,  and  then  runs  a  computation  drdprnt, 
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defined  below,  that  reads  the  file.  proveReplace  is  a  tactic  used  to  prove  that  rail’  is  Tall  with  the 
ownership  of  secret.txt  changed,  solve  (prove  15)  calls  the  theorem  prover  to  statically  verify 
that  Dan  has  permission  to  chown  secret.txt. 

T state’  =  replace  {_}  {Tstate} 

(►  Prin  "System"  says 

(a-  (Owner  -  (►  Prin  "Dan",^  File  "secret-txt ")))) 
iO 

rail’  =  Tpolicy  Tf-  Tstate’ 

dchown  :  O  (rail'  as  "Dan")  Unit  (A  _  -a  Tall  as  "Dan") 

dchown  =  chown  (►  Prin  "Dan")  (►  Prin  "Dan")  (►  Prin  "Jamie") 

(►  File  "secret-txt") 

(solve  proveReplace)  (solve  (prove  15)) 

»  drdprnt 


Sudo  Following  Avijit  and  Harper](2007 ),  we  now  give  a  well-typed  version  of  the  Unix  com¬ 
mand  sudo,  which  allows  switching  principals  during  execution.  A  first  cut  for  the  type  of  sudo 
is  as  follows: 


sudol  :  V  {T  A  r’}  -f  (kl  k2  :  _) 

->  (Proof  r  (a-  (MaySu  ■  (kl,  k2)))) 

->  O  ((a+  (As  ■  k2))  ::  T)  A  (A  _  ->  (a+  (As  •  k2))  ::  T') 

->  O  ((a+  (As  ■  kl))  ::  T)  A  (A  _  -  (a+  (As  •  kl))  ::  U) 

If  there  is  a  proof  that  kl  may  sudo  as  k2  (e.g.,  a  password  was  provided),  and  As  (kl)  is  in  the 
precondition,  then  it  is  permissible  to  run  a  subcomputation  as  k2.  This  subcomputation  has  a 
postcondition  saying  that  it  terminates  running  as  k2,  and  then  the  overall  computation  returns 
to  running  as  kl.  Because  our  contexts  are  ordered  (represented  as  lists  rather  than  sets),  sudo 
has  the  type  in  Figure  [53}  which  allows  the  As  facts  to  occur  anywhere  in  the  context,  sudo’s 
type  may  be  read:  if  replacing  As  (kl)  with  As  (k2)  in  T  equals  A,  and  if  replacing  As  (k2)  with 
As  (kl)  in  A’  equals  T’,  and  k2  has  permission  to  su  as  kl,  then  a  computation  with  preconditions 
A  and  postconditions  A’  can  produce  a  computation  with  preconditions  T  and  postconditions  r\ 
The  following  example  call  to  sudo  defines  a  computation  as  Dan  that  su’s  as  Jamie  to  run 
the  computation  j  read  print  defined  above: 

drdprnt  :  O  (rail  as  "Dan")  Unit  (A  _  ->  Tall  as  "Dan") 
drdprnt  =  sudo  (►  Prin  "Dan")  (►  Prin  "Jamie") 

(solve  proveReplace) 

(A  _  -a  solve  proveReplace) 

(solve  (prove  15)) 
jreadprint 

This  requires  proving  that  Tstate  as  "Jamie"  and  Tstate  as  "Dan"  are  related  by  replacing 
As  (Prin  "Jamie")  with  As  (Prin  "Dan")  (in  both  directions).  Our  tactic  proveReplace  proves 
all  of  these  equalities.  Additionally,  the  theorem  prover  statically  verifies  Dan  may  su  as  Jamie 
under  the  policy  Tall  as  "Dan". 
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Acquire  The  function  acquire  allows  a  program  to  check  whether  a  proposition  is  true  in  the 
state  of  the  world.  This  construct  is  inspired  by  acquire  in  PCML5,  but  there  are  slight  dif¬ 
ferences:  in  PCML5,  acquire  does  theorem  proving  to  prove  an  arbitrary  proposition  from  the 
policy,  whereas  here  acquire  only  verifies  the  truth  of  state-dependent  atomic  facts  (which  have 


no  evidence)  and  statements  of  principals  (whose  only  evidence  is  a  digital  signature  ( Avijit  et  al. 


2010;  Jia  et  al.,  2008)).  The  function  acquire  takes  two  continuations:  one  to  run  if  the  check  is 


successful,  whose  precondition  is  extended  with  the  proposition,  and  an  error  handler,  whose  pre¬ 
condition  is  the  current  context,  to  run  if  the  check  fails.  In  fact,  we  allow  acquire  to  test  an  entire 
context  at  once:  given  a  context  Tn,  a  computation  with  preconditions  T  extended  with  Tn  (the 
success  continuation),  and  a  computation  with  preconditions  T  (the  error  continuation),  acquire 
returns  a  computation  with  preconditions  T.  We  use  the  notation  acquire  Tn  /  \_  no=^  s  yes=^  f 
to  write  a  call  to  acquire  in  a  pattern-matching  style.  The  \_  elides  a  Good  argument,  which  is 
explained  below. 


main  :  O  []  Unit  (A  _  ->•  []) 

main  =  acquire  (Tall  as  "Jamie")  /  _ 

no=^  error  "acquiring  policy  failed" 
yes=»  wea  ken  Post  j  read  print  (A  _  ())  _ 


This  example  call  begins  and  ends  in  the  empty  context.  The  call  to  acquire  examines  the  system 
state  to  check  the  truth  of  each  of  the  propositions  in  Tall  as  "Jamie".  If  all  of  these  are 
true,  then  we  run  jreadprint  and  use  weakening  to  forget  the  postconditions.  If  some  proposition 
cannot  be  verified,  then  main  calls  error. 


Verifying  Policy  Invariants 

When  authoring  the  above  monadic  signature  for  file  10,  the  programmer  may  have  in  mind 
some  invariants  to  which  policies  T  must  adhere.  For  example,  a  call  to  chown  (above)  would 
have  unexpected  consequences  if  there  ever  were  more  than  one  copy  of  System  says  owns  (k,  f) 
in  T  (only  one  copy  would  be  replaced,  leaving  a  file  with  two  owners  in  the  postcondition). 
Our  interface  permits  programmers  to  specify  context  invariants  using  a  predicate  Good  T.  The 
intended  invariant  of  our  interface  is  that  a  monadic  computation  O  T  A  T'  should  have  the 
property  that  T’  satisfies  Good  if  T  does.  To  achieve  this,  the  weakening  operations  and  acquire 
require  the  preconditions  T  be  accompanied  by  a  proof  of  Good  T,  and  the  programmer  must 
verify  that  operations  such  as  read,  chown,  and  sudo  preserve  the  invariant.  Because  of  this 
invariant,  it  is  not  necessary  to  make  each  monadic  operation  require  a  proof  that  the  precondition 
is  Good.  This  means,  that  when  writing  a  client  program,  the  programmer  needs  only  to  verify 
that  the  initial  policy  and  those  in  calls  to  weakening  and  acquire  satisfy  the  invariants. 

In  the  above  examples,  we  took  Good  to  be  the  trivially  true  invariant,  so  the  proofs  could  be 
elided  with  an  As  mentioned  above,  a  useful  invariant  to  enforce  is  that  for  every  file  f  there 
is  at  most  one  statement  of  the  form  System  says  Owner  (_,  f)  in  the  context.  This  is  defined  in 
Agda  as  follows: 
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Good  :  TCtx+  []  ->  Set 
Good  T  =  V  {  k  k’  f } 

->  (a  :  (►  Prin  "System"  says  (a-  (Owner  •  (k, f))))  G  F) 

->  (b  :  (►  Prin  "System"  says  (a-  (Owner  ■  (k',f))))  G  T) 

-»•  Equal  a  b 

Then  we  may  prove  that  the  postcondition  of  each  operation  is  Good  if  the  precondition  is; 
e.g. 

ChownPreservesGood  :  V  (T  A  kl  k2  f} 

->  Replace  (►  Prin  "System"  says  (a-  (Owner  ■  (kl,f)))) 

(►  Prin  "System"  says  (a-  (Owner  ■  (k2, f)))) 

r  a 

->  Good  T  ->  Good  A 

In  the  companion  code,  we  revise  the  above  examples  so  that  they  maintain  this  invariant,  using 
a  tactic  to  generate  the  proofs. 


3.1.2  File  IO  with  Access  Control  and  Information  Flow 


Next,  we  extend  the  above  file  signature  with  information  flow,  adapting  an  example  from 
Fine  (Swamy  et  al.,  2010).  First,  we  define  a  type  Tracked  A  L  which  represents  a  value  of 
type  A  tracked  with  security  level  L,  where  L  is  a  list  of  filenames  and  U  appends  two  lists. 
Following  Fine,  we  define  Tracked  as  an  abstract  functor  that  distributes  over  functions  (though 
different  type  structures  for  information  flow,  such  as  an  indexed  monad  (Russo  et  al.  2008 ),  can 
be  used  in  other  examples): 


Tracked  :  Set  ->  Label  ->  Set 

fmap  :  V{A  B  L}  ->  (A  ->  B)  ->  Tracked  A  L  ->  Tracked  B  L 
_©_  :  V  {A  B  LI  L2 }  ->•  Tracked  (A  ->  B)  LI 
->  Tracked  A  L2  -r  Tracked  B  (LI  U  L2) 

An  application  f  0  x  joins  the  security  levels  of  the  function  and  the  argument. 

Next,  we  give  flow-sensitive  types  to  read  and  write:  read  tags  the  value  with  the  file  it  was 
read  from,  and  write  requires  a  proof  of  MayAIIFlow  provs  file,  representing  the  fact  that  all  of 
the  files  upon  which  the  written  string  depends  may  flow  into  file. 

read  :  V  { T }  (k  :  _)  (file  :  ) 

->  Proof  T  ((a-  (Mayread  ■  (k,  file)))  A  (a+  (As  ■  k))) 

->  O  r  (Tracked  String  [file])  (A  _  ->  T) 

write  :  V  (T  provs}  (k  :  _)  (file  :  _) 

->  Tracked  String  provs 

->  Proof  T  ((a-  (Maywrite  •  (k,  file))) 

A  (a+  (As  •  k)) 

A  (MayAIIFlow  provs  file)) 

->  o  r  Unit  (A  _  ^  r) 
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For  example,  we  can  read  two  files  and  write  their  concatenation  to  secret.txt: 

go  :  O  (r  as  "Jamie")  Unit  (A  _  (r  as  "Jamie")) 
go  =  read  (►  Prin  "Jamie")  (►  File  "filel.txt") 

(solve  (prove  15))  A  s  -> 
read  (►  Prin  "Jamie")  (►  File  "file2-txt") 

(solve  (prove  15))  :»=  A  s'  -> 
write  (►  Prin  "Jamie")  (►  File  " secret-txt ") 

((fmap  String. string-append  s)  0  s') 

(solve  (prove  15)) 

Here  the  theorem  prover  shows  that  both  filel.txt  and  file2.txt  may  flow  into  secret.txt,  according 
to  the  policy.  This  proof  obligation  results  from  the  fact  that 
(fmap  String. string-append  s)  ©  s’ 
has  type 

Tracked  String  ["filel.txt",  "file2.txt"]. 


3.1.3  Spatial  Distribution  with  Information  Flow 


PCML5  investigates  PC  A  for  the  spatially  distributed  programming  language  ML5  (Murphy  VII 


2008).  Here,  we  show  how  to  embed  an  ML5-style  type  system,  which  can  be  combined  with  the 
above  techniques  for  access  control  and  information  flow.  PCML5  considers  additional  aspects 
of  distributed  authorization,  such  as  treating  the  policy  itself  as  a  distributed  resource,  which  we 
leave  to  future  work. 

ML5  tracks  where  resources  and  computations  are  located  using  modal  types  of  the  form 
A  @  w.  For  example,  database. read  :  (key  ->  value)  @  server  says  that  a  function  that  reads 
from  the  database  must  be  run  at  the  server,  while  javascript. alert  :  (string  ->  unit)  @  client 
says  that  a  computation  that  pops  up  a  browser  alert  box  must  be  run  at  the  client.  Network 
communication  is  expressed  in  ML5  using  an  operation  get  :  (unit  ->  A)  @  w  ->  A  @  w’  that 
(under  some  conditions  which  we  elide  here)  goes  to  w  to  run  the  given  computation  and  brings 
the  resulting  value  back  to  w'.  In  other  work  (Licata  and  Harper,  2010),  we  have  shown  how  to 
build  an  ML5-like  type  system  on  top  of  an  indexed  monad  of  computations  at  a  place,  O  w  A, 
with  a  rule  get  :  O  w  A  ->  O  w  A.  Here,  observe  that  this  monad  indexing  can  be  represented 
using  a  proposition  At  (w),  where  get  is  given  a  type  analogous  to  sudo: 


get  :  (wl  w2  :  _)  ^  V{T  AT'  A  A’} 

->  Replace  (a+  (At  •  wl))  (a+  (At  •  w2))  T  A 
->  Replace  (a+  (At  •  w2))  (a+  (At  •  wl))  A’  T' 
^OAA(A_^Aj 
->  O  r  (Tracked  A  w2)  (A  _  -*■  T’) 


Additionally,  we  combine  spatial  distribution  with  information  flow,  tagging  the  return  value  of 
the  computation  with  the  world  it  is  from.  The  postcondition  must  be  independent  of  the  return 
value,  as  there  is  in  general  no  coercion  either  way  between  A  and  Tracked  A  L. 


3.1.  EXAMPLES 


41 


Information  flow  can  be  used  in  this  setting  to  force  strings  to  be  escaped  before  they  are  sent 
back  to  the  client — e.g.  to  prevent  SQL  injection  attacks: 

sanitize  :  Tracked  String  (►  client)  -a  HTML 
str  :  Tracked  String  (►  server)  HTML 

Strings  from  the  client  must  be  escaped  before  they  can  be  included  in  an  HTML  document, 
whereas  strings  from  the  server  are  assumed  to  be  non-malicious,  and  can  be  included  directly. 


3.1.4  ConfRM:  A  Conference  Management  System 


Swamy  et  al.  (120 1  Oj)  present  an  example  of  a  conference  management  server,  ConfRM,  adapted 


from  Continue  (Krishnamurthi[  2003)  and  its  access  control  policy  (Dougherty  et  al.[|2006). 
Here,  we  show  an  excerpt  of  an  authorization  policy  for  ConfRM,  a  proof-carrying  monadic 
interface  to  the  computations  which  perform  actions,  and  the  main  event  loop  of  the  server.  This 
example  uses  ephemeral  policies:  authorization  to  perform  actions,  such  as  submitting  a  paper 
or  a  review,  depend  on  the  phase  of  the  conference  (submission,  notification,. . . ). 


Policy 

We  formalize  ConfRM’s  policy  using  terms  of  various  types:  actions  represent  requests  to  the 
web  server;  principals  represent  users;  papers  and  strings  are  used  to  specify  actions;  roles  define 
whether  a  user  is  an  Author,  PCMember,  and  so  on.  The  policy  is  also  dependent  on  the  phase  of 
the  conference  (e.g.,  an  Author  may  submit  a  paper  during  the  submission  phase).  The  proposi¬ 
tion  May  ■  (k,  a)  states  that  k  may  perform  action  a.  Each  action  is  a  first-order  term  constructed 
from  some  arguments  (e.g.,  Submit,  Review,  Readscore,  Read  all  have  papers,  while  Progress  has 
two  phases,  the  phase  the  conference  is  in  before  and  after  it  is  progressed). 

Fine  specifies  the  policy  as  a  collection  of  Horn  clauses,  which  are  simple  to  translate  to  our 
logic,  as  in  the  following  clause: 

clausel  = 

(  (Ve  principal  •  Ve  string  • 
let 

author  =  >  iS  iO 
papername  =  >  iO 
in 

((  (a-  (InPhase  •  (►  Submission)))  A 
(  (a-  (  InRole  ■  (author  ,  ►  Author))))) 

D  (a-  (May  •  (author  ,  (Submit  •  papername))))))) 

This  proposition  reads:  for  all  authors  and  paper  names,  if  the  conference  is  in  the  submission 
phase,  and  the  principal  is  an  author,  then  the  principal  may  submit  a  paper.  We  have  also  begun 
to  reformulate  the  policy  using  the  says  modality,  e.g.  to  allow  authors  to  share  their  paper 
scores  with  their  coauthors. 
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saysClause  = 

(  (Ve  principal  ■  Ve  paper  ■  Ve  principal  ■ 
let  primary  =  >  iO 
paper  =  >  (iS  iO) 
coauthor  =  >  (iS  (iS  iO))  in 
((  (  (a-  (InPhase  ■  (►  Notification))))  A 
(  (a-  (Author  ■  (primary  ,  paper)  )))  A 
(primary  says  (a-  (May  •  (coauthor  , 

(Readscore  •  paper)))))) 

D  (a-  (May  •  (coauthor  ,  (Readscore  •  paper))))))) 

This  rule  states  that,  for  any  principal  author,  paper  paper,  and  principal  coauthor,  if  the 
conference  is  in  notification  phase,  and  author  is  the  author  of  paper,  and  author  says 
coauthor  may  read  the  scores  for  paper,  then  coauthor  may  read  the  scores  for  paper. 
Similarly,  using  says,  it  is  straightforward  to  specify  a  policy  allowing  PC  members  to  delegate 
reviewing  assignments  to  subreviewers. 

Actions 

Rather  than  defining  a  command  for  each  action — doRead,  doSubmit,  etc. —  we  use  type-level 
computation  to  write  one  command  for  processing  all  actions;  this  simplifies  the  code  for  the 
main  loop  presented  below  and  allows  for  straightforward  addition  of  actions.  The  generic  com¬ 
mand  for  processing  an  action,  doaction,  has  the  following  type: 

doaction  :  V{T}  (k  :  _)  (a  :  _)  ->  (e  :  ExtraArgs  T  a) 

->  Proof  T  (a-  (May  •  (k,  a)))  A  (a+  (As  ■  k)) 

->  O  r  (Result  a)  (A  r  ->  Postcondition  a  T  e  k  r) 

doaction  takes  a  principal  k,  an  action  a  to  perform,  and  some  ExtraArgs  for  a,  along  with 
a  proof  that  the  computation  is  running  as  k,  and  that  k  may  perform  a.  In  this  example,  a 
Proof  abbreviates  a  sequent  whose  view  is  PCChair,  rather  than  Admin.  It  returns  a  Result,  and 
has  a  Postcondition,  both  of  which  are  dependent  upon  the  action  being  performed.  In  Agda, 
ExtraArgs,  Result,  and  Postconditions  are  functions  defined  by  recursion  on  actions,  which  com¬ 
pute  a  Set,  a  Set,  and  a  context,  respectively. 

Several  actions,  such  as  Submitting  a  paper,  require  extra  data  that  is  not  part  of  the  logical 
specification  (e.g.,  the  contents  of  the  paper  should  not  be  part  of  the  proposition  which  authorizes 
it  to  be  submitted).  ExtraArgs  produces  the  set  of  additional  arguments  each  action  requires. 

ExtraArgs  :  TCtx+  []  ->  Term  []  (►  action)  ->  Set 
ExtraArgs  T  (Review  •  _)  =  Term  []  (►  string) 

ExtraArgs  T  (Submit  •  _)  =  Term  []  (►  string) 

ExtraArgs  T  (Progress  •  (pi,  p2))  = 

E  (A  A  ->  Replace  (a-  (InPhase  •  pi))  (a-  (InPhase  •  p2))  T  A) 

ExtraArgs  T  _  =  Unit 

Reviews  and  paper  submissions  require  their  contents,  represented  as  terms  of  type  string  (the 
Agda  type  Term  []  (►  string)  is  an  injection  of  strings  into  the  language  of  first-order  terms  that 
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we  use  to  represent  propositions,  as  described  in  Section  [3T2]  below) .  Progressing  the  phase  of 
the  conference  requires  a  proof  that  the  conference  is  in  the  first  phase,  along  with  a  new  context 
in  the  resulting  phase,  which  we  represent  by  a  pair  of  a  new  context  A  and  a  proof  of  Replace. 

Next,  we  specify  the  result  type  of  an  action: 

Result  :  Term  []  (►  action)  ->  Set 
Result  (Submit  ■  _)  =  Term  []  (►  paper) 

Result  (Review  ■  _)  =  Unit 
Result  (BeAssigned  •  _)  =  Unit 
Result  (Readscore  ■  _)  =  String 
Result  (Read  •  _)  =  String 
Result  (Progress  ■  _)  =  Unit 

Readscore  and  Read  return  a  paper’s  reviews  and  contents,  while  submit  produces  a 
Term  []  (►  paper),  a  unique  id  for  the  paper. 

Finally,  we  define  the  PostCondition  of  each  action,  which  is  dependent  upon  the  action 
itself,  the  precondition,  the  extra  arguments  for  the  action,  the  principal  performing  the  action, 
and  the  Result  of  the  action.  Submitting  a  paper  extends  the  preconditions  with  two  propositions: 
one  saying  the  paper  has  been  submitted,  and  one  saying  the  submitting  principal  is  its  author. 
Reviewing  and  Assigning  a  paper  add  that  the  paper  is  reviewed  by  or  assigned  to  the  principal, 
respectively.  Readscore  and  Read  leave  the  conditions  unchanged.  The  postcondition  of  Progress 
is  the  first  component  of  its  ExtraArgs,  i.e.  the  context  determined  by  replacing  the  current  phase 
with  the  resulting  one. 

PostCondition  :  (a  :  Term  []  (►  action))  (T  :  TCtx+  []) 

->  ExtraArgs  T  a  (k  :  Term  []  (►  principal)) 

->  Result  a  ->  TCtx+  [] 

PostCondition  (Submit  •  y)  T  e  k  r  =  (a-  (Submitted  ■  r))  ::  (a-  (Author  •  (k,  r)))  ::  T 

PostCondition  (Review  •  y)  T  e  k  r  =  (a-  (Reviewed  ■  (k, y)))  ::  T 

PostCondition  (BeAssigned  •  y)  T  e  k  r  =  (a-  (Assigned  •  (k,y)))  ::  T 

PostCondition  (Readscore  •  y)  T  e  k  r  =  T 

PostCondition  (Read  •  y)  T  e  k  r  =  T 

PostCondition  (Progress  ■  (phi,  ph2))  T  e  k  r  =  (fst  e) 

In  writing  the  main  server  loop,  we  will  use  the  following  monadic  wrapper  of  our  theorem 
prover,  in  order  to  test  at  run  time  whether  a  given  proposition  holds  in  the  current  state  of  the 
server: 

prove/dyn  :  V  { T 1 }  ->  Nat  ->  (T  :  TCtx+  [])  -> 

(A  :  Propo-  [])  -> 

O  n  (Maybe  (Proof  T  A))  (A  _  ->  T 1) 


Server  Main  Loop 

In  Figure  |3.4|  we  show  the  code  for  the  main  loop  of  the  ConfRM  server,  implemented  using 
the  interface  described  above.  The  main  loop  serves  requests  made  by  principals  who  wish 


44 


CHAPTER  3.  SECURITY-TYPED  PROGRAMMING 


fix  :  V{Ar’} 

-  ((V  {r}  -  O  r  a  n  -  (v  {r}  -  o  r  a  r’)) 

^  (v  {r}  ^  o  r  a  r) 

main  :  V  { T }  ->  O  T  Unit  (A  _  ->  []) 
main  =  fix  loop  where 

loop  :  (V  {r}  ->  O  r  Unit  (A  _  [])) 

(V  {T}  -  O  r  Unit  (A  _  ^  [])) 
loop  rec  {  r  }  = 

prompt  "Enter  an  action:"  >■=  A  astr {-1-} 
case  (parseAction  astr) 

None=k  error  "Unknown  action" 

Some=k  A  actionArgs  -> 
let  a  =  (fst  actionArgs) 

args  =  (snd  actionArgs)  in 

prompt  "Who  are  you?"  A  ustring  ->  {-2-} 

let  u  =  parsePrin  ustring  in 

acquire  [(  (a-  (MaySu  •  (►  Prin  "Admin",  u))))]  {-3  -} 

/  - 

no=k  error  "Unable  to  su" 

yes=^  case  make-replace  {-4  -} 

None=^  error  "oops,  not  running  as  admin" 

Some=^  A  asadmin  -> 

case  (inputToE  a  _  args)  {-5-} 

None=^  error  "Bad  input  (e.g.  not  in  phase)" 
Some=^  A  args  -> 

(sudo  (►  Prin  "Admin")  u  {-6-} 

(snd  asadmin) 

(\x  ->  (snd  (repAsPost  (snd  asadmin) 

'  (a }  x))) 

(Ifoc  iO  in  it-) 

(prove/dyn  15 »=  {-7  -} 

none=k  error  "Unauthorized  action" 

some^>  A  canDoAction  -> 

doaction  u  a  args  canDoAction))  {-8  -} 

»=  A  _  ->  rec  {-9  -} 


Figure  3.4:  ConfRM  Main  Loop 
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to  perform  actions.  Because  the  requests  are  not  determined  until  run-time,  and  authorization 
depends  on  the  system  state  (the  phase  of  the  conference,  the  role  of  a  principal),  this  example 
uses  entirely  dynamic  verification  of  security  policies:  the  server  dynamically  checks  that  each 
request  is  authorized  just  before  performing  it,  using  our  theorem  prover  at  run-time.  The  type 
system  ensures  that  the  appropriate  dynamic  check  is  made.  Informally,  the  server  loop  works  by 
(1)  reading  in  an  action  and  its  arguments,  (2)  reading  in  a  principal,  (3)  acquiring  the  credentials 
to  su  as  that  principal,  (4)  computing  the  precondition  of  the  su,  (5)  computing  the  postconditions 
of  performing  the  action,  (6)  su-ing  as  the  principal,  (7)  proving  the  principal  may  perform  the 
action,  (8)  performing  the  action,  and  (9)  recurring.  The  fact  that  we  have  coalesced  all  of 
the  actions  into  one  primitive  command  makes  this  code  much  more  concise  than  it  would  be 
otherwise,  when  we  would  have  to  repeat  essentially  this  code  as  many  times  as  there  are  actions. 

This  code  is  rendered  in  Agda  as  follows,  fix  permits  an  10  computation  to  be  defined  by 
general  recursion.  Because  its  type  is  restricted  to  the  monad,  it  does  not  permit  non-terminating 
elements  of  other  types,  such  as  Proof.  This  fixed-point  combinator  abstracts  over  the  pre¬ 
condition,  so  it  may  vary  in  recursive  calls,  but  leaves  the  postcondition  fixed  throughout  the 
loop;  we  leave  more  general  loop  invariants  to  future  work.  First,  main  is  given  the  type 
V  A  T  ->•  O  r  Unit  (A  _  ->  []):  given  any  precondition,  the  computation  returns  unit  and 
an  empty  postcondition  (we  do  not  expect  to  run  any  code  following  main  so  it  is  not  worth¬ 
while  to  track  the  postconditions),  main  is  defined  by  taking  the  fixed  point  of  the  axillary 
function  loop,  which  is  abstracted  over  the  recursive  call.  On  line  (1),  the  loop  prompts  the 
user  to  enter  an  action  to  perform,  parseAction  then  parses  the  string  to  produce  a  :  action  and 
args:  InputArgs,  and  raises  an  error  otherwise.  (2)  The  loop  prompts  for  a  username,  parses  it 
into  a  Term  []  principal.  (3)  The  loop  attempts  to  acquire  credentials  that  "Admin"  may  su  as 
the  principal  (e.g.,  by  prompting  for  a  password).  (4)  The  loop  calls  the  functions  make-replace 
to  produce  the  preconditions  for  the  su,  by  replacing  (As  (Prin  "Admin"))  with  a+  (As  u).  (5) 
The  loop  calls  inputToE  to  produce  the  ExtraArgs  for  the  action  from  the  args;  for  Progress,  this 
function  computes  the  postcondition  of  the  action  from  the  current  context.  (6)  The  loop  su-s  as 
the  principal.  The  first  replace  argument  to  su  is  the  result  of  step  (4),  the  proof  argument  is  the 
assumption  acquired  in  step  (3),  the  second  replace  argument  is  discussed  below.  (7)  The  loop 
calls  the  theorem  prover  at  run-time  to  prove  the  principal  may  perform  the  requested  action.  (8) 
The  loop  calls  doaction  and  (9)  recurs. 

The  second  replace  argument  to  su  is  generated  using  a  proof  that  As  is  preserved  in  the 
PostCondition  of  an  action: 

postPreservesAs  :  VjaTekrk’} 

->  (a+  (As  •  k’)  G  T) 

->  ((a+  (As  ■  k’))  G  PostCondition  a  T  e  k  r) 

This  is  another  example  of  using  Agda  to  verify  invariants  of  the  pre-  and  post-conditions,  as  in 
Section  |3TT] 

Dynamic  Policy  Acquisition 

Finally,  we  describe  an  example  of  dynamic  policy  acquisition  in  Figure  |3.5[  we  read  the  re¬ 
viewers’  paper  assignments  from  a  database,  parse  the  result  into  a  context,  acquire  the  context, 
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getReviewerAsgn  :  V  { T  }  ->  String  -> 

O  r  (List  (List  String))  (A  _  ->  T) 
parseReviewers  :  List  String  ->  TCtx+  [  | 


mkPolicy  :  V  {T}  ->  O  T  (TCtx+  [])  (A  _  -»•  T) 
mkPolicy  =  getReviewerAsgn  "papers,  db"  :»=  A  asgn  -a 
return  ( ListM .fold  []  (Ax->  Ay-> 
parseReviewers  x  -ft-  y)  asgn) 

start  =  mkPolicy  {[]}  :»=  A  ctx  -> 
acquire  ctx  /  _ 

no=>-  error  "policy  not  accepted" 

yes=>-  main 


Figure  3.5:  ConfRM  Policy  Acquisition 


and  start  the  main  server  loop  with  those  preconditions.  This  is  simple  in  a  dependently  typed 
language  because  contexts  themselves  are  data.  The  function  getReviewerAsgn  takes  a  string, 
representing  a  path  to  the  database,  and  returns  the  list  of  reviewers  for  each  paper.  The  function 
parseReviewers  then  turns  each  of  these  lists  into  lists  of  propositions,  each  stating  the  parsed  re¬ 
viewer  is  a  reviewer  of  the  paper.  A  more  realistic  ConfRM  implementation  would  read  a  variety 
of  other  propositions  from  the  database  as  well  (which  papers  have  been  submitted,  reviewed, 
etc.)  The  computation  mkPolicy  calls  getReviewerAsgn  and  parses  the  results.  The  computation 
start  uses  mkPolicy  to  generate  an  initial  policy,  acquires  these  preconditions,  and  starts  the  main 
sever  loop. 


3.2  Implementation 

Our  Agda  implementation  consists  of  about  1400  lines  of  code.  We  have  also  written  about 
1800  lines  of  example  code  in  the  embedded  language,  including  policies,  monadic  interfaces  to 
primitives,  and  example  programs.  In  this  section,  we  describe  the  implementation  of  the  logic, 
the  theorem  prover,  and  the  indexed  monad. 


3.2.1  Representing  BL0 


The  definition  of  says  in  BL0  supports  exclusive  delegation ,  where  a  principal  delegates  respon- 
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sibility  for  a  proposition  to  another  principal,  without  retaining  the  ability  to  assert  that  propo¬ 
sition  himself.  For  example,  consider  a  policy  that  payroll  says  V£.(HR  says  employee(t))  D 
MayBePaid(t).  Under  what  circumstances  can  we  conclude  payroll  says  MayBePaid(Alice)? 
The  fact  that  HR  says  employee(Alice)  should  be  sufficient.  However,  the  fact  that  payroll  says 
employee(Alice)  should  not,  as  the  intention  of  the  policy  is  that  payroll  delegates  responsibility 
for  the  employee  predicate  to  human  resources,  without  retaining  the  ability  to  assert  employee 
instances  itself.  When  says  is  treated  as  a  lax  modality,  payroll  says  employee(Alice)  implies 
payroll  says  HR  says  employee(Alice),  which  is  enough  to  conclude  the  goal.  Abstractly,  we 
wish  k  says  A  to  imply  k'  says  ( k  says  A),  but  not  k  says  ( k '  says  A).  The  modality  satisfies 
several  other  axioms;  in  a  Hilbert-style  combinator  system,  it  can  be  described  as  follows: 
h  S 


F  k  says  A 

(Necessity) 

k  says  (A  D  B)  D  ( k  says  A  D  k  says  B ) 

(K) 

( k  says  A)  D  {k'  says  ( k  says  A)) 

(I) 

k  says  (( k  says  A)  D  A) 

(C) 

( k  says  A)  D  (k1  says  A)  if  k'  >  k 

(S) 

The  last  axiom  refers  to  a  delegation  order  on  principals,  which  automatically  includes  the  state¬ 
ments  of  one  principal  into  another. 

Terms,  Types,  and  Atomic  Propositions 

In  the  above  examples,  we  used  a  variety  of  atomic  propositions  (Mayread,  Owns,  etc.),  which 
refer  to  several  datatypes  (principals,  papers,  conference  phases,  etc.).  Though  we  are  attempting 
to  do  this  example  in  “raw  Agda,”,  we  could  not  help  but  embed  a  simple  logical  framework,  so 
that  the  representation  of  BL0  and  its  theorem  prover  can  be  parametrized  over  such  datatypes 
and  atomic  propositions.  In  particular,  we  implement  the  simplest  possible  logical  framework: 
first-order  terms,  with  free  variables,  over  a  given  signature.  This  allows  us  to  specify  the  types, 
terms,  and  propositions  for  an  example  concisely,  while  exploiting  a  datatype-generic  definition 
of  the  structural  properties  when  we  state  the  inference  rules  of  the  logic.  The  following  excerpt 
from  the  signature  for  ConfRM  illustrates  what  one  writes  to  instantiate  the  logical  framework 
to  a  specific  example: 

data  BaseType  :  Set  where 
string  paper  role  action  phase  principal  :  BaseType 

data  Const  :  BaseType  ->  Set  where 
Prin  :  String  ->  Const  principal 
Paper  :  String  ->  Const  paper 
PCChair  Reviewer  Author  Public  :  Const  role 
Init  Presubmission  Submission  ...  :  Const  phase 

data  Func  :  BaseType  ->  Type  ->  Set  where 
Review  BeAssigned  ...  :  Func  action  (►  paper) 

Progress  :  Func  action  (►  phase  g)  ►  phase) 
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data  Atom  :  Type  ->  Set  where 
InPhase  :  Atom  (►  phase) 

Assigned  ...  :  Atom  (►  principal  0  ►  paper) 
May  :  Atom  (►  principal  0  ►  action) 

As  :  Atom  (►  principal) 


The  programmer  defines  a  datatype  of  base  types,  a  datatype  giving  constants  of  each  type,  a 
datatype  of  function  symbols,  and  a  datatype  of  atomic  propositions  over  a  given  type.  Addition¬ 
ally,  the  programmer  must  define  a  couple  of  operations  on  these  types  (equality,  enumeration 
of  all  elements  of  a  finite  type)  which  in  a  future  version  of  Agda  could  be  generated  automati¬ 
cally  ( Altenkirch  and  McBride,  2003 ). 


My  First  Logical  Framework 

First,  we  define  an  interface  that  formalizes  the  notion  of  a  signature :  what  the  programmer 
specifies  to  instantiate  the  framework  to  a  particular  example.  The  above  datatypes  BaseType, 
Const,  etc.  will  constitute  one  such  signature.  We  represent  this  in  Agda  with  a  record  type: 

record  TermSig  :  Setl  where 
field 

BaseType  :  Set 

Const  :  BaseType  ->  Set 

typeEq  :  (A  B  :  BaseType)  Maybe  (Id  A  B) 

constEq  :  V  (A  :  BaseType}  (CC  :  Const  A)  Maybe  (Id  C  C’) 

allConst  :  (extraStrings  :  List  String)  ->•  {A  :  BaseType}  ->■  List  (Const  A) 
module  Typ  =  Types  BaseType 

field 

Func  :  BaseType  ->  Typ. Type  ->  Set 

allFuncs  :  (r  :  BaseType)  List  (E  (A  (A  :  Typ. Type)  ->  Func  r  A)) 
funcEq  :  V  (rl  r2  :  BaseType}  (A1  A2  :  Typ. Type} 

(Cl  :  Func  rl  Al)  ->  (C2  :  Func  t2  A2) 

->  Maybe  (Id  rl  r2  x  Id  Al  A2  x  Hid  Cl  C2) 

The  programmer  defines  a  set  of  BaseTypes,  and  a  set  Const  of  constants  of  each  BaseType. 
When  we  implement  the  theorem  prover  below,  we  will  need  to  compare  types  and  terms  for 
equality,  and  enumerate  all  terms  of  a  given  signature,  so  we  additionally  require  functions  that 
compare  BaseTypes  and  Constants  and  enumerate  all  Constants. 

The  parametrized  module  Types  defines  the  types  over  a  given  collection  of  base  types: 

module  Types  (BaseType  :  Set)  where 
data  Type  :  Set  where 
►  _  :  BaseType  ->  Type 
_0_  :  Type  Type  ->  Type 
unit  :  Type 
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Types  are  BaseTypes,  unit,  and  pair  types  (r  1  ®  r 2). 

Returning  to  TermSig,  the  programmer  may  additionally  specify  a  collection  of  function 
symbols  Func  r  A,  which  require  an  argument  of  type  A  and  produce  a  term  of  type  r,  along 
with  enumeration  and  equality  for  function  symbols. 

Given  an  instance  of  this  signature  the  framework  provides  a  datatype  of  terms  and  a  collec¬ 
tion  of  operations  on  it.  First,  the  datatype  of  terms: 

ICtx  =  List  BaseType 

data  Term  :  ICtx  ->  Type  ->  Set  where 

>_  :  V  { 0  r}  ->  r  G  12  -»  Term  12  (►  r) 

►  _  :  V  { 0  r}  ->  Const  r  ->  Term  12  (►  r) 

:  V  {12  rl  r2}  ->  Term  12  rl  ->  Term  12  r2  ->  Term  12  (rl  <g)  r2) 

[]  :  V  {12}  -»  Term  12  unit 

:  V  {12  t  A}  -»  Func  r  A  ->  Term  12  A  ->  Term  12  (►  r) 

The  terms  over  a  signature  are  given  by  a  datatype  Term  12  r,  where  12,  an  individual  context 
(ICtx),  represents  the  free  variables  of  the  term.  An  ICtx  is  a  list  of  BaseTypes,  and  represents 
a  context  of  individual  variables — e.g.  the  context  X\  :  r, , . . . ,  xn  :  rn  will  be  represented  by 
the  list  7~i  ::  ...  ::  rn  ::  [].  Variables  are  represented  by  well-scoped  de  Bruijn  indices,  which  are 
pointers  into  such  a  list — iO  says  x  G  (x  ::  I),  and  iS  says  that  x  G  (y  ::  I)  if  x  G  I.  Terms  are  either 
variables  (>i),  where  i  :  r  G  12  is  a  de  Bruijn  index,  constants,  applications  of  function  symbols 
(f  •  t),  or  []  and  (tl,  t2)  for  unit  and  product  types. 

Next,  we  equip  this  datatype  of  terms  with  a  variety  of  operations,  generally  in  the  signature. 
First,  we  write  12  C  12’  for  V{r}  -»  r  G  12  -»  r  G  12’  and  define  weakening  (as  well  as 
exchange  and  contraction): 

weakenTerm  :  V  {12  12’  r}  ->  Term  12  r  -»  12  C  12’  -»  Term  12’  r 
Similarly,  we  can  define  substitution: 
substTerm  :  V{12rl2’} 

-»  Term  12  r  ->  (V  {r}  ->  r  G  12  ->  Term  12’  (►  r)) 

->  Term  12'  r 

Next,  we  specialize  substitution  to  the  last  variable,  using  the  identity  substitution  on  12: 

substTerm  Last  :  V  {12  r  r'}  -»  Term  (r  ::  12)  r'  ->  Term  12  (►  r)  ->  Term  12  r’ 

Finally,  we  define  equality  and  enumeration: 

varEq  :  {12  :  ICtx}  {r  :  BaseType}  ->  (x  y  :  r  G  12)  ->  Maybe  (Id  xy) 
termEq  :  V  {12  r}  ->  (Tl  T2  :  Term  12  r)  ->  Maybe  (Id  Tl  T2) 
allVars  :  (12  :  ICtx)  {r  :  _}  -»  List  (r  G  12) 
allTermsGen  :  List  String  ->  (12  :  _)  (A  :  _)  ->  List  (Term  12  A) 

allTermsGen  only  terminates  if  the  signature  is  non-recursive;  we  could  build  a  proof  of  this  fact 
into  TermSig,  but  for  now  we  have  taken  the  shortcut  of  turning  off  the  termination  checker. 
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Next,  we  prove  some  properties  of  these  operations  generically.  First,  weakening  by  the 
identity  is  the  identity: 

Isld  :  V  {12}  ->  (12  C  12)  ->  Set 

Isld  {12}  w  =  {r  :  BaseType}  (i  :  r  G  12)  ->  Id  i  (w  i) 

weakenTerm-id  :  V  {12}  ->  {w  :  12  C  12}  ->  Isld  w 

->  {r  :  Type}  (t  :  Term  12  t)  -+  Id  (weakenTerm  t  w)  A 

Because  Agda  equality  is  intensional,  it  is  too  strong  to  demand  Id  w  (A  x  ->  x);  thus,  we  use 
Isld,  which  says  that  is  the  identity  on  all  arguments. 

Second,  we  prove  that  weakening  by  a  composition  is  the  composition  of  weakenings: 

_ o :  \/{mmm  ■.  ictx}  ->  (w2  :  mem)  ->  (wi  :  m c 02)  -*■  121c  123 

weakenTermo  :  V  {121  02  123  r}  ->  (w2  :  02  C  123)  (wl  :  121  C  122) 

->  (A  :  Term  121  r) 

->  Id  (weakenTerm  A  (A  {_}  ->  w2  o  wl))  (weakenTerm  (weakenTerm  A  wl)  w2) 

Another  artifact  of  intensional  equality  is  that  we  must  prove  that  weakening  by  point-wise 
equal  functions  is  the  identity: 

WEq  :  V  (O  O’ }  ->  (fl  f2  :  12  C  12’)  ->  Set 

WEq  fl  f2  =  {r  :  BaseType}  ->■  (x  :  r  E  _)  ->  Id  (fl  x)  (f2  x) 

weakenTerm-ext  :  V  (12  12’}  {wl  w2  :  12C12’}  ->•  WEq  wl  w2  -> 

{r  :  Type}  (t  :  Term  12  r)  -+  Id  (weakenTerm  t  wl)  (weakenTerm  t  w2) 

These  are  all  the  generic  operations  on  terms  that  we  required  in  our  development,  though  we 
could  go  on  to  prove  analogous  properties  of  substitution,  etc. 

For  atomic  propositions,  we  similarly  define  a  datatype  Aprop  12.  This  datatype  is  parametrized 
over  a  set  of  atomic  proposition  symbols  Atom  :  Type  Set,  and  an  atomic  proposition  p  •  t 
consists  of  an  Atom  A  paired  with  a  term  of  type  A.  We  could  have  used  Terms  of  a  particular 
base  type  prop  to  represent  atomic  propositions,  but  for  a  historical  accident:  we  had  abstracted 
out  a  signature  of  atomic  propositions  before  doing  so  for  terms. 

Propositions 

BL0  propositions  include  conjunction,  disjunction,  implication,  universal  and  existential  quan¬ 
tification,  and  the  says  modality: 

A,B,C  ::=  P  \  A  A  B  \  Av  B  \  A  D  B  \  T 
|  _L  |  \/x:t.s  |  3 x\t.A  \  k  says  A 

In  Figure  [3~6|  we  represent  this  syntax  in  Agda.  Propositions  (Propo)  are  indexed  by  a  context 
of  free  variables,  and  additionally  by  a  polarity  (+  or  — ),  which  will  be  helpful  in  defining  a 
focused  sequent  calculus  below.  Because  the  syntax  of  propositions  is  polarized,  there  are  two 
injections  a—  and  a+  from  atomic  propositions  Aprop  to  negative  and  positive  propositions, 
respectively.  Additionally,  the  shifts  }  and  {  include  negative  into  positive  and  vice  verse.  The 
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data  Propo  :  Polarity  ICtx  ->  Set  where 

_D_  :  V  {12}  ->  Propo+  Propo- 12  ->•  Propo- 12 
Vi_  :  V  {12  r}  ->  Propo-  (r  ::  12)  ->  Propo-  12 
a-  :  V  {12}  ->  Aprop  12  ->  Propo-  12 
{  :  V  {12}  ->  Propo+  12  Propo- 12 

_V_  :  V  {12}  ->  Propo+  12  ->  Propo+  12  ->•  Propo+  12 

_A_  :  V  {12}  ->  Propo+  12  Propo+  12  ->•  Propo+  12 

_L  :  V  {12}  ->  Propo+  12 

T  :  V  {12}  ->  Propo+  12 

3i_  :  V  {12  r}  ->  Propo+  (r  ::  12)  ->  Propo+  12 
_says_  :  V  {12}  -►  Term  12  principal 
Propo-  12  ->  Propo+  12 
a+  :  V  {12}  -*•  Aprop  12  Propo-f-  12 
{  :  V  {12}  ->•  Propo-  12  ->  Propo+  12 


Figure  3.6:  Agda  Representation  of  BL0  Propositions 

remaining  datatype  constructors  correspond  to  the  various  ways  of  forming  propositions  in  the 
above  grammar.  For  example,  the  _A_  constructor  takes  two  terms  of  type  Propo+  12  and  returns 
a  term  of  type  Propo+  12.  The  constructor  3i  (existential  quantification  over  individuals),  takes 
a  positive  proposition,  in  a  context  with  one  new  free  variable  of  type  r,  and  returns  a  positive 
proposition  in  the  original  context  12. 

We  have  suppressed  the  shifts  up  to  this  point  in  the  paper  for  readability.  We  could  suppress 
shifts  in  our  Agda  code  by  implementing  a  simple  translation  that,  given  an  unpolarized  proposi¬ 
tion  and  an  intended  polarization  of  each  atom,  computes  a  polarized  proposition  with  minimal 
shifts. 


Proofs 


Sequent  calculus.  Sequents  in  BL0  have  the  form  12;  A;  V  — >  A.  The  context  12  gives  types  to 
individual  variables  (e.g.  it  is  extended  by  V),  and  the  context  T  contains  propositions  that  are 
assumed  to  be  true  (e.g.  it  is  extended  by  D) — these  are  the  standard  contexts  of  first-order  logic. 
The  context  A  contains  claims,  assumptions  of  the  form  k'  claims  A;  claims  is  the  judgement 
underlying  the  says  connective  (Garg,  2009b | [Pfenning  and  Davies  2001 1.  Finally,  k,  the  view 
of  the  sequent,  is  the  principal  on  behalf  of  whom  the  inference  is  made. 

The  rules  for  says  are  as  follows: 


a,  A;  []  A 
12;  A;  T  —>  k  says  A 


saysR 


12;  A,  (k  claims  A);  r,  [k  says  A)  — >  C 


k0 


saysL 


12;  A;  T,  (k  says  A)  —+  C 
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Q](A,k  claims  A);(r,A)  k  >  kO 

-  claimsL 

fi;  (A ,k  claims  A);T  ^  C 

In  order  to  show  k  says  A,  one  empties  the  context  F  of  true  assumptions,  and  reasons  on  behalf 
of  k  with  the  goal  A  (rule  saysR).  It  is  necessary  to  empty  T  because  the  facts  in  it  may  depend 
on  claims  by  the  principal  ko,  which  are  not  valid  when  reasoning  as  k.  The  rule  saysL  says  that 
if  one  is  reasoning  from  an  assumption  k  says  A,  one  may  proceed  using  a  new  assumption  that 
k  claims  A.  Claims  are  used  by  the  rule  claimsL,  which  allows  passage  from  a  claim  k  claims  A 
to  an  assumption  that  A  is  actually  true.  This  rule  makes  use  of  a  preorder  on  principals,  and 
asserts  that  any  statements  made  by  a  greater  principal  are  accepted  as  true  by  lesser  principals. 


Focused  sequent  calculus.  To  help  with  defining  a  proof  search  procedure,  we  present  BL0  as 
a  weakly-focused  sequent  calculus.  iGarg  (2009b)  describes  both  an  unfocused  sequent  calculus 
and  a  focused  proof  system  for  FHH,  a  fragment  of  BL0;  here  we  give  a  focused  sequent  calculus 
for  all  of  BL0.  Focusing  (]Andreoli[  1992b )  is  a  proof-theoretic  technique  for  reducing  inessential 
non-determinism  in  proof  search,  by  exploiting  the  fact  that  one  can  chain  together  certain  proof 
steps  into  larger  steps.  In  the  Agda  code  above,  we  polarized  the  syntax  of  propositions,  divid¬ 
ing  them  into  positive  and  negative  classes.  Positive  propositions,  such  as  disjunction,  require 
choices  on  the  right,  but  are  invertible  on  the  left:  a  goal  C  is  provable  under  assumption  A+ 
if  and  only  if  it  is  provable  under  the  left  rule’s  premises.  Dually,  negative  propositions  involve 
choices  on  the  left  but  are  invertible  on  the  right.  Weak  focusing  (Pfenning  and  Simmons |  2009) 
forces  focus  (choice)  steps  of  like-polarity  connectives  to  be  chained  together,  but  does  not  force 
inversion  (pattern-matching)  steps  to  be  chained  together.  We  use  weak,  rather  than  full,  focusing 
because  it  is  slightly  easier  to  represent  in  Agda,  and  because  it  can  sometimes  lead  to  shorter 
proofs  if  one  internalizes  the  identity  principles  (which  say  that  A  entails  A) — though  we  do  not 
exploit  this  fact  in  our  current  proven 

The  polarity  of  k  says  A  is  as  follows:  A  is  negative,  but  k  says  A  itself  is  positive.  As  a 
simple  check  on  this,  observe  that  k  says  A  is  invertible  on  the  left — one  can  always  immediately 
make  the  claims  assumption — but  not  on  the  right — because  saysR  clears  the  true  assumptions. 
For  example,  a  policy  is  often  of  the  form  k\  says  A1, . .  .kn  says  An,  with  a  goal  of  the  form 
k'  says  B.  It  is  necessary  to  use  claimsL  to  turn  all  propositions  of  the  form  k  says  A  in  T 
into  claims  in  A  before  using  saysR  on  the  goal — if  one  uses  saysR  first,  the  policy  would  be 
discarded.  This  polarization  is  analogous  to  □  in  Pfenning  and  Davies  (2001)  and  to  !  in  linear 
logic  (Andreoli,  1992b),  which  is  reasonable  given  that  says  is  a  necessitation  modality. 

Our  sequent  calculus,  presented  in  Figure  |3J]  has  three  main  judgements: 

•  Right  focus:  D;  A;  V  [A+] 

•  Left  focus:  0;  A;  T  —>  [A~]  >  C 

k 

•  Neutral  sequent:  O;  A;  T  — >  C" 

Here  A  consists  of  claims  k  claims  A '  and  T  consists  of  positive  propositions.  For  convenience  in 

k 

the  Agda  implementation,  we  break  out  a  one-step  left-inversion  judgement  0;  A;  V  — >  A*  >/  C, 
which  applies  a  left  rule  to  the  distinguished  proposition  A+  and  then  reverts  to  a  neutral  sequent. 


The  rules  are  a  fairly  simple  integration  of  the  idea  of  weak  focusing  (Pfenning  and  Simmons 
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2009 )  with  the  focusing  interpretation  of  says  described  above. 


Agda  Representation  In  Figure  |3.8[  we  show  an  excerpt  of  the  Agda  representation  of  this 
sequent  calculus.  First,  we  define  a  record  type  for  a  Ctx,  which  tuples  together  the  0,  A,  F,  and 
k  parts  of  a  sequent — we  write  0  for  such  a  tuple.  T  is  represented  as  a  list  of  propositions;  A 
is  represented  as  a  list  of  pairs  of  a  principal  and  a  proposition,  written  p  claims  A;  kis  a  term 
of  type  principal.  Record  fields  are  selected  by  writing  R.x,  where  the  type  of  the  record  is  R 
and  the  desired  field  is  x  (e.g.,  Ctx.rk  selects  the  principal  from  a  Ctx  record).  Note  that  Ctx  is 
a  dependent  record:  the  true  context,  the  claims  context,  and  the  view  can  mention  the  variables 
bound  in  the  individual  context  rfl  We  write  TCtx+  Q  for  List  (Propo+  Q).  We  define  several 
helper  functions  on  Ctxs:  sayCtx  clears  the  Ctx  of  true  propositions,  and  changes  the  view  of  the 
context  to  its  second  argument,  ictx  (not  shown)  is  shorthand  for  Ctx. rfl.  addTrue  and  addClaim 
cons  a  true  proposition  onto  T  or  a  claim  onto  A,  respectively.  addVar  adds  a  variable  to  f 1,  and 
weakens  the  rest  of  the  context. 

When  writing  down  the  calculus  on  paper,  it  is  obvious  that  extending  fl  does  not  affect  F 
or  A;  any  variables  bound  in  fl  will  be  bound  in  fT  A  fl  However,  in  Agda,  it  is  necessary 
to  explicitly  coerce  F  fl  to  F  Q’  for  type  families  F  dependent  on  Q.  Above,  we  discussed 
weakenTerm;  weakening  for  propositions,  claims,  true  contexts  (weakenT+),  claims  contexts 
(weakenC),  and  so  on,  are  analogous. 

There  are  4  judgments  in  our  weakly-focused  sequent  calculus;  analogously,  there  are  4  mu¬ 
tually  recursive  datatype  declarations  representing  these  judgements  in  Agda,  with  one  datatype 
constructor  for  each  inference  rule.  We  show  the  constructors  VL  (for  the  left  focus  judge¬ 
ment),  3L  and  saysL  (for  the  left  inversion  judgement),  saysR  (for  the  right  focus  judgement), 
and  claimsL  (for  the  neutral  sequent  judgement).  For  the  most  part,  the  rules  are  a  straightfor¬ 
ward  transcription  of  the  sequent  calculus  rules.  In  VL,  the  function  substlast  substitutes  a  term 
for  the  last  variable  in  a  proposition;  we  have  implemented  substitution  for  individual  variables 
for  each  of  the  syntactic  categories.  In  3 L,  it  is  necessary  to  weaken  the  goal  with  the  new 
variable,  which  is  tacit  in  on-paper  presentations. 


Properties  Because  the  sequent  calculus  is  cut-free,  consistency  of  closed  proofs  is  immediate: 
Consistency:  For  all  principals  k,  there  is  no  derivation  of 

[];  □;  0  -T  J-. 

Proof:  no  rule  concludes  A  in  right  focus,  and  in  the  empty  context  no  left  focus  or  left  inversion 
rules  apply. 

Identity  and  cut  can  be  proved  using  the  usual  syntactic  methods,  adapting  Garg’s  proof  ([Garg , 
2009b)  for  an  unfocused  sequent  calculus  to  weak  focusing,  following  Pfenning  and  Simmons] 


(2009). 


3.2.2  Proof  Search 

We  have  implemented  a  simple  proof-producing  theorem  prover  for  BL0: 
prove  :  Nat  ->  (9  :  Ctx)  -*•  (A  :  Propo-  (ictx  9))  ->  Maybe  ( 9  P  A) 
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INIT+ 


O;  A;  T;  P+  44  [P+] 


O;  A;  T  [S']  >  P~ 


INIT- 


T 


S];A;r4C 


T  L 


_L 


A;  r  — >  [T] 


ft;  A;  T  -AT  >j  C 


J];A;r4  T>tC 


J];A;r4[i+]  ft;  A;  T  A>  [£+] 
ft;  A;  T  4  [A+  A  S+] 


AR 


ft;A;r,A+,S+  44  C 
ft;  A;  T  — >  (A+  AB+)  >7  (ft 


AL 


ft;  A;T  -4  [A+] 
ft;  A;  T  4  [A+  V  S+] 


VR1 


ft;  A;T  -4  [S+] 

ft;  A;  T  4  [A+  V  S+] 


VR2 


ft;  A;r,y4+,44  C  ft;  A;  T,  B+,  -4  C 
ft;  A;  T  —>  {A+W  B+)  >/  C 


fthtir  ft;A;r  4  [[t/x]y4+] 
ft;A;ri  [3®  :  r.^+] 


3R 


ft,  x  :  r;  A;  T,  ^4+  44  C 
ft;A;ri  (3x  :  r.^4+)  >7  C 


3L 


ft;  A;  T  44  A' 
ft;  A;  T  44  [|  A'] 


-  fc 


blurR 


ft;  A;  T,  J.  A"  A  [X]  >  (ft 
ft;A;r  ,IA'±C 


LFOC 


ft;  A;  []  44  A" 


kO 


ft;A;T  ^  [fc  Says  A' 


saysR 


ft;  A,  (A:  claims  A');r  ^4  C 


ft;  A;  T  444  (jfc  Says  A-)  >/  (ft 

ft;A;r44[A+]  ft;  A;  T  44  [S']  >  (ft 
ft;  A;  T  44  [A+  d  S']  >  C 


SAYSL 


ft;  A;  T,  A+  44  S' 
ft;A;T  4  A+  D  S' 


DR 


DL 


ft;  A;  T  44  [t/x\A~ 
ft;  A;  T  4  Vx  :  r.A" 


VR 


ft;  A;  T  44  [[t/x]A']  >  C 
ft;  A;  T  44  [Vx  :  r.A']  >  (ft 


VL 


ft;  A;  r  44  [A+] 

ft;  A;T  44 1  A+ 


RFOC 


ft;  A;  T,  A+  44  (ft 
ft;  A;  T  4  [|  A+]  >C 


blurL 


ft;A;(r,A+)  4  L4+]  >7  (ft'  ft;  (A,  k  claims  AT);  T  ^  M']  >  (ft  fc  >  kO 

- - -  LINY  — - - - -  CLAIMSL 


ft;  A;  (r,  A+)  (ft 


ft;  (A,  A:  claims  A');r  444  (ft 


Figure  3.7:  Weakly  focused  sequent  calculus  for  BL0 
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record  Ctx  :  Set  where 
field  rk!  :  ICtx 

r r  — (—  :  List  (Propo+  rk!) 

rA  :  List  (Term  rk!  principal  x  Propo-  rk!)  -- pairs  written  (k  claims  A) 
rk  :  Term  rk!  principal 

addTrue  :  (9  :  Ctx)  ->  (A  :  Propo  Pos  (ictx  9))  ->  Ctx 
addTrue  9  A  = 

record  {rk!  =  Ctx.rk!  0;  rT+  =  A  ::  (Ctx.rT+  0);  rA  =  Ctx.rA  0;rk  =  Ctx.rk  0} 

addClaim  :  ( 9  :  Ctx)  -»  (t  :  Claim  (ictx  9))  ->  Ctx 
addClaim  9  c  = 

record  {rk!  =  Ctx.rk!  0;  rT+  =  Ctx.rT+#;rA  =  c  ::  Ctx.rA  9]  rk  =  Ctx.rk  9} 
addVar  :  ( 9  :  Ctx)  (A  :  Type)  -»•  Ctx 

addVar  9  r  =  record  {rk!  =  (r  ::  Ctx.rk!  9);  rT+  =  (weakenT+  (Ctx.rT+  9)  iS); 

rA  =  (weakenC  (Ctx.rA  9)  iS);  rk  =  (weakenTerm  (Ctx.rk  9)  iS) } 

sayCtx  :  ( 9  :  Ctx)  (k  :  Term  (Ctx.rk!  9)  principal)  -»•  Ctx 

sayCtx  9  k  =  record  {rk!  =  Ctx.rk!  9;  rT+  =  [];rA  =  Ctx.rA  0;rk  =  k} 


mutual 

data  _PL_>_  :  (9  :  Ctx)  ->  Propo-  (ictx  9)  ->  Propo-  (ictx  9)  -*  Set  where 
VL  :  V{0rAC}->(t  :  Term  (ictx  9)  r)  -r 
9  PL  (substlast  A  t)  >  C  -> 

9  PL  Vi_  {ictx  9 }  {r}  A  >  C 

data  _PI_>_  :  ( 9  :  Ctx)  ->  (Propo+  (ictx  9))  ->  Propo-  (ictx  9)  -*■  Set  where 
3L  :  V  {9t  A  C} 

->•  (addTrue  (addVar  9  r)  A)  P  (weakenP  C  iS) 

->  9  PI  (3e  r  A)  >  C 
saysL  :  V  {9  k  s  B} 

->•  addClaim  9  (k  claims  s)  P  C 
9  PI  (k  says  s)  >  C 


data  _PR_  :  ( 9  :  Ctx)  ->  Propo-I-  (ictx  9)  Set  where 
saysR  :  V  {9  k  A} 

->  (sayCtx  9  k)  P  A 
->  9  PR  (k  says  A) 


data  _P_  :  ( 9  :  Ctx)  ->  Propo-  (ictx  9)  ->  Set  where 
claimsL  :  V  {9  k  A  C} 

->  (k  claims  A)  £  Ctx.rA  9 
->0PLA>C->k^  Ctx.rk  9 
^9  PC 


Figure  3.8:  Agda  representation  of  proofs  (exceprt) 
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prove  takes  a  depth  bound,  a  context,  and  a  proposition,  and  attempts  to  find  a  proof  of  9  b  A 
with  at  most  the  given  depth.  The  prover  is  certified :  when  the  prover  succeeds,  it  returns  a 
proof,  which  is  guaranteed  by  type  checking  to  be  well-formed.  When  the  prover  fails,  it  simply 
returns  None.  The  prover  is  implemented  by  around  200  lines  of  Agda  code. 

Our  prover  is  quite  naive,  but  it  suffices  to  prove  the  examples  in  this  paper.  For  the  most  part, 
the  prover  backchains  over  the  focusing  rules.  Flowever,  whereas  the  above  sequent  calculus  was 
only  weakly  focused,  the  prover  is  fully  focused,  in  that  it  eagerly  applies  invertible  rules,  which 
avoids  backtracking  over  different  applications  of  them.  If  the  goal  is  right-invertible,  the  prover 
applies  right  rules.  Once  the  goal  is  not  right-invertible  (an  atom  or  a  shift  j  A+),  the  prover  fully 
left-inverts  all  of  the  assumptions  in  T.  Inverting  a  context  T  breaks  up  the  positive  propositions 
using  left  rules,  generating  a  list  of  non-invertible  contexts  ©i, ...,  0fc  such  that,  if  for  every  i, 
(-),  b  C.  then  ©  b  C.  Once  the  sequent  has  been  fully  inverted,  the  prover  tries  right-focusing  (if 
the  goal  is  a  shift  f  A+)  and  left-focusing  on  all  assumptions  in  T  and  claims  in  A,  until  one  of 
these  choices  succeeds.  The  focus  phases  involves  further  backtracking  over  choices  (e.g.,  which 
branch  of  a  disjunction  to  take).  The  focus  rules  for  quantifiers  (WE  and  31)  require  guessing  an 
instantiation  of  the  quantifier.  Our  current  implementation  is  brute-force:  it  simply  computes  all 
terms  of  a  given  type  in  a  given  context  and  tries  each  of  them  in  turn — we  have  only  considered 
individual  types  with  finitely  many  inhabitants. 

The  following  snippet  of  an  auxiliary  function  implementing  the  right  focus  judgement  gives 
a  feel  for  the  prover: 

proveRight  :  Nat  (9  :  Ctx)  ->  (A  :  Propo  Pos  (ictx  9))  Maybe  (9  bR  A) 

proveRight  Z _ =  None 

proveRight  (S  n)  9  (A  V  B)  = 

(map  VR1  (proveRight  n  9  A))  ||  (map  VR2  (proveRight  n  9  B) ) 
proveRight  (S  n)  9  (A  A  B)  = 

proveRight  n  9  A  »=  )x->  map  (A  y  ->  AR  x  y)  (proveRight  n  9  B) 
proveRight  (S  n)  9  T  =  Some  TR 
proveRight  (S  n)  9  1  =  None 

proveRight  (S  n)  9  (J,  A)  =  map  (A  x  ->  blurR  x)  (proveNeutral  n  9  A) 

proveRight  (S  n)  9  (kO  says  A)  =  proveNeutral  n  (sayCtx  9  kO)  A  »=  A  y  ->  Some  (saysR  y) 


If  the  depth  bound  is  0,  fail.  If  the  goal  is  a  disjunction,  try  proving  the  two  disjuncts.  if  the  goal 
is  a  conjunction,  prove  them  both.  If  the  goal  is  T,  succeed;  if  it  is  _L,  fail.  If  the  goal  is  j.  A, 
switch  to  proving  A  as  a  neutral  sequent.  Similarly,  if  the  goal  is  kO  says  A,  switch  contexts  and 
prove  A  neutrally.  We  write  map  and  >>=  and  1 1  for  functoriality,  bind,  and  “mplus”  of  Maybe; 
1 1  tries  the  left  disjunct  first. 


The  prover  achieves  tolerable  compile  times  on  the  small  examples  we  have  considered  so 
far  (1  to  13  seconds).  If  it  proves  too  slow  for  some  examples,  we  have  several  options:  First,  we 
can  improve  our  implementation — e.g.  by  implementing  unification,  which  will  eliminate  much 
of  the  branching  from  quantifiers,  or  by  doing  a  better  job  of  clause  selection.  Second,  we  could 
connect  Agda  with  an  external  theorem  prover,  following  Kariso  (2010).  Garg  has  implemented 
theorem  prover  for  BL0  in  ML  (Garg,  [2009b),  which  we  could  integrate  soundly  by  writing  a 
type  checker  for  the  certificates  it  produces.  Third,  we  could  optimize  Agda  itself,  by  fixing 
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some  known  inefficiencies  in  Agda’s  compile-time  evaluation. 


3.2.3  Computations 


The  monadic  interfaces  presented  in  Section  3.1  are  currently  treated  as  refinement  types  on 


Haskell’s  10  monad,  which  is  exposed  through  the  Agda  foreign  function  interface.  The  imple¬ 
mentations  of  proof-carrying  file  operations  simply  ignore  their  proof  arguments,  fix  is  compiled 
using  general  recursion  in  Haskell.  In  this  operational  model,  programs  written  in  Aglet  adhere 
to  the  security  policies,  but  no  guarantees  are  made  about  programs  that  can  access,  e.g.,  the  raw 
file  system  operations.  We  discuss  alternatives  in  Section [T4|bclow. 


3.3  Related  Work 


Aglet  implements  security-typed  programming  in  the  style  of  Aura  ( Jia  et  al. ,  2008 ),  PCML5  ( Avi 
[jit  et  al.[  |2010|),  Fine  (|Swamy  et  al.[  |2010|),  and  previous  work  by  |Avijit  and  Harper|  (|2007|) 
(henceforth  AH),  which  integrate  authorization  logics  into  functional/imperative  programming 
languages.  Our  main  contribution  relative  to  these  languages  is  to  show  how  to  support  security- 
typed  programming  within  an  existing  dependently-typed  language.  There  are  also  some  techni¬ 
cal  differences  between  these  languages  and  ours: 

First,  Aura,  PCML5,  and  AH  interpret  says  as  a  lax  modality,  whereas  BL0  interprets  it  as  a 
necessitation  modality  to  support  exclusive  delegation  (see  Section [J.2.1[);  Fine  uses  first-order 
classical  logic  and  does  not  directly  support  the  says  modality.  The  context-clearing  necessitation 
modality  is  more  challenging  to  represent  than  a  lax  modality. 

Second,  unlike  these  four  languages,  our  language  treats  propositions  and  proofs  as  induc¬ 
tively  defined  data,  which  has  several  applications:  In  Aura,  all  proof-carrying  primitives  log  the 
supplied  proofs  for  later  audit;  the  programmer  could  implement  logged  operations  on  top  of  our 
existing  interface  by  writing  a  function 
toString  :  Proof  T  A  String 

by  recursion  over  proofs.  Recursion  over  propositions  is  also  essential  for  writing  our  theorem 
prover  inside  of  Agda. 

Third,  our  indexed  monad  of  computations  allows  us  to  encode  computation  on  behalf  of  a 
principal,  following  AH.  In  Aura,  all  computation  proceeds  on  behalf  of  a  single  distinguished 
principal  self.  In  PCML5,  a  program  can  authenticate  as  different  principals,  but  the  credentials 
are  less  precise:  in  PCML5,  the  program  authenticates  as  k,  whereas  in  AH  the  program  acquires 
only  the  ability  to  su  from  a  given  k'  to  k — which  may  be  a  useful  restriction  if  the  program  is 
subsequently  no  longer  running  as  k' .  Fine  does  not  track  authentication  as  a  primitive  notion, 
though  it  seems  likely  it  could  be  encoded  using  an  As  predicate  and  affine  types. 

Fourth,  in  PCML5,  acquire  uses  theorem  proving  to  deduce  consequences  of  the  policy, 
whereas  in  our  language  acquire  only  tests  whether  a  state-dependent  atom  or  a  statement  by 
a  principal  is  literally  in  the  policy,  and  a  separate  theorem  prover  deduces  consequences  from 
the  policy.  We  separate  theorem  proving  from  acquire  so  that  we  may  also  use  the  same  theorem 
prover  at  compile-time  to  statically  discharge  proof  obligations.  PCML5  and  AH  make  use  of  a 
theorem  prover  only  at  run-time,  whereas  Fine  uses  theorem  proving  only  at  compile-time. 
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Fifth,  PCML5  is  a  language  for  spatially  distributed  authorization,  where  resources  and  poli¬ 
cies  are  located  at  different  sites  on  a  network.  We  have  shown  how  to  support  ML5-style  spatial 
distribution  using  our  indexed  monad,  but  we  leave  spatial  distribution  of  policies  to  future  work. 

Sixth,  the  operational  semantics  of  both  PCML5  and  AH  include  a  proof-checking  reference 
monitor;  we  have  not  yet  considered  such  an  implementation. 

Several  other  languages  provide  support  for  verifying  security  properties  by  type  checking. 
For  example,  Fournet  et  ah  (|2007|)  develop  a  type  system  for  a  process  calculus,  and  Bengtson 


et  al.  (2008)  for  F#,  both  of  which  can  be  used  to  verify  authorization  policies  and  cryptographic 


protocols.  This  work  addresses  important  issues  of  concurrency,  which  we  do  not  consider  here. 
A  technical  difference  is  that,  in  their  work,  proofs  are  kept  behind  the  scenes  (e.g.,  in  F7,  propo¬ 
sitions  are  proved  by  the  Z3  theorem  prover).  In  contrast,  our  language  makes  the  proof  theory 
directly  available  to  the  programmer,  so  that  propositions  and  proofs  can  be  computed  with  (for 
logging  or  run-time  theorem  proving)  and  so  that  proofs  can  be  constructed  manually  when  a 
theorem  prover  fails.  Another  example  of  a  language  that  does  not  give  the  programmer  direct 
access  to  the  proof  theory  is  PCAL  ([Chaudhuri  and  Garg[  2009]),  an  extension  of  BASH  that 
constructs  the  proofs  required  by  a  proof-carrying  file  system  ( Garg  and  Pfenning]  2009);  proof 
construction  is  entirely  automated,  but  sometimes  inserts  run-time  checks. 

Our  indexed  monad  was  inspired  by  HTT  (Nanevski  et  al. ,  j2006|).  RIF  (Borgstrom  et  al. 


2009)  also  investigates  applications  of  indexed  monads  to  security-typed  programming,  but  there 


are  some  technical  differences:  First,  RIF  is  a  new  language  where  refinement  types  (using  first- 
order  classical  logic)  and  a  refined  state  monad  are  primitive  notions,  whereas  we  embed  an 
authorization  logic  and  an  indexed  monad  in  an  existing  dependently  typed  language.  Second, 
RIF’s  monad  is  indexed  by  predicates  on  an  explicit  representation  of  the  system  state,  whereas 
we  index  by  policies  T  that  describe  an  implicit  ambient  state. 

Many  security-typed  languages  address  the  problem  of  enforcing  information  flow  policies 
(see|Abadi  et  al.|  (fl999j);  |Chothia  et  al.](|2003])  for  but  a  couple  of  examples).  We  follow  Russo 


et  al.|(|2008l);|Swamy  et  al.|(|2010|)  in  representing  information  flow  using  an  abstract  type  con¬ 
structor  (e.g.,  a  monad  or  an  applicative  functor).  Fable  (|Swamy  et  al.]  |2008|)  takes  a  different 
approach  to  verifying  access-control,  information  flow,  and  integrity  properties,  by  providing  a 
type  of  labelled  data  that  is  treated  abstractly  outside  of  certain  policy  portions  of  the  program. 
This  mechanism  facilitates  checking  security  properties  (by  choosing  the  labels  appropriately 
and  implementing  policy  functions)  and  proving  bi-simulation  properties  of  the  programs  that 
adhere  to  these  policies. 

DeYoung  and  Pfenning  ( 2009 j)  describe  a  technique  for  representing  access  control  policies 
and  stateful  operations  in  a  linear  authorization  logic.  Our  approach  to  verifying  context  invari¬ 
ants,  as  in  Section[3.1.1[  is  inspired  by  their  work. 


The  literature  describes  a  growing  body  of  authorization  logics  (Abadi],  [2006]  |2008|  |Abadi 


et  al.]  |1993]  |De Young  et  al.]  |2008|  |Garg]  |2009a|b[).  We  chose  BL0  (|Garg,  2009b]),  a  simple 


logic  that  supports  the  expression  of  decentralized  policies  and  whose  says  connective  permits 
exclusive  delegation. 

Appel  and  Felten  (|1999])  pioneered  the  use  of  proof-carrying  authorization,  in  which  a  system 


checks  authorization  proofs  at  run-time.  Several  systems  have  been  built  using  PCA  (Bauer  et  al. 


2005]  [Gairg  and  Pfenning]  [2009]  |Wobber  et  al.]  [1994]).  Like  many  security-typed  languages,  we 


use  dependently  typed  PCA  to  check  authorization  proofs  at  compile-time  through  type  checking. 
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3.4  Discussion 


In  this  chapter,  we  have  described  Aglet,  a  library  embedding  security-typed  programming  in  a 
dependently-typed  programming  language.  There  are  many  interesting  avenues  for  future  work: 
First,  we  may  consider  embedding  an  authorization  logic  such  as  full  BL  (Garg  2009a)  that 
accounts  for  resources  that  change  over  time. 

Second,  we  have  currently  implemented  the  monadic  computation  interface  on  top  of  un¬ 
guarded  Haskell  10  commands,  which  provides  security  guarantees  for  well-typed  programs.  To 
maintain  security  in  the  presence  of  ill-typed  attackers,  we  may  instead  implement  our  interface 
using  a  proof-carrying  run-time  system  such  as  PCFS  (Garg  and  PfenningJ  2009).  Following 
PCML5  (Avijit  et  al.[  |2010),  we  may  then  be  able  to  prove  a  progress  theorem  showing  that 
well-typed  programs  always  pass  the  reference  monitor.  Another  intriguing  possibility  is  to  for¬ 
malize  the  operational  behavior  of  computations  directly  within  Agda — e.g.  using  an  algebraic 
axiomatization  ([Plotkin  and  Pretnar]j2009[). 

Third,  we  have  shown  a  few  small  examples  of  using  Agda  to  reason  about  the  class  of  con¬ 
texts  that  is  possible  given  a  particular  monadic  interface.  In  future  work,  we  would  like  to 
explore  ways  of  systematizing  this  reasoning  (e.g.,  by  using  linear  logic  to  describe  transforma¬ 
tions  between  contexts,  as  in  DeYoung  and  Pfenning:  (2009 j)) .  We  would  also  like  to  use  Agda  to 
analyze  global  properties  of  a  particular  monadic  interface  (such  as  proving  a  principal  can  never 
access  a  resource).  Once  we  have  circumscribed  the  contexts  generated  by  a  particular  interface, 
we  can  prove  such  properties  by  induction  on  BL0  proofs. 

Fourth,  we  have  thus  far  shown  examples  of  entirely  static  and  entirely  dynamic  verification; 
we  would  like  to  consider  examples  that  mix  the  two.  This  will  require  using  reflection  to  rep¬ 
resent  Agda  judgements  as  data,  so  that  our  theorem  prover  does  not  get  stuck  on  open  Agda 
terms. 

To  illustrate  this  problem,  suppose  we  set  up  a  call  to  the  theorem  prover  as  follows: 


goal  :  (reviewer  :  Term  []  (►  principal))  -> 

Proof  ((►  Prin  "Admin"  says  a-  (MaySu  •  (►  Prin  "Public",  reviewer)))  ::  []) 
(a-  (MaySu  ■  (►  Prin  "Public",  reviewer))) 
goal  reviewer  =  solve  (prove  10) 


That  is,  we  would  like  to  prove,  abstractly  in  any  reviewer,  that  if  Admin  says  Public  may  su  as 
the  reviewer,  then  Public  may  su  as  the  reviewer.  Unfortunately,  the  theorem  prover  does  not 
succeed  in  proving  this  goal,  because  of  the  free  Agda  variable  reviewer:  the  theorem  prover  gets 
stuck  at  trying  to  compute  termEq  reviewer  reviewer.  While  it  is  true  that  for  all  terms  termEq  1 1 
computes  to  Some,  this  fact  is  not  true  definitionally. 

We  can  solve  this  problem  by  reflecting  the  goal,  which  has  a  free  Agda  variable,  as  a  goal 
with  a  free  individual  variable  in  the  logic:  Computation  proceeds  with  derivability  assumptions 
in  places  where  it  gets  stuck  on  admissibility  assumptions.  In  this  case,  we  replace  reviewer  with 
an  individual  variable  of  type  principal: 


60 


CHAPTER  3.  SECURITY-TYPED  PROGRAMMING 


reflectedGoal  : 

record  { 

rfi  =  principal  ::  []; 

rA  =  []; 

rr+  =  (►  Prin  "Admin"  says  a-  (MaySu  •  (►  Prin  "Public", >  iO)))  ::  []; 
rk  =  ►  Prin  "Admin"} 
b  (a-  (MaySu  •  (►  Prin  "Public", >  iO))) 
reflectedGoal  =  Sums.getSome  (proveNeutral  10 _ ) 

and  the  theorem  prover  succeeds. 

Next,  using  the  substitution  principal  for  the  logic,  we  can  instantiate  a  derivability  assump¬ 
tion  with  an  admissibility  assumption  to  prove  the  original  goal: 

substHast  :  V  r  A  T  k  A} 

->  record  (rfi  =  r  ::  rA  =  A;rT+  =  T;rk  =  k}  b  A 
->  (t  :  Term  D  (►  r)) 

->  record  { rO  =  O;  rA  =  substCLast  A  t; 

rT+  =  substT+Last  T  t;  rk  =  substTermLast  k  t} 
b  (substlast  A  t) 


goal  :  (reviewer  :  Term  []  (►  principal))  ->• 

(Proof  ((►  Prin  "Admin"  says  a-  (MaySu  ■  (►  Prin  "Public",  reviewer)))  ::  []) 
(a-  (MaySu  •  (►  Prin  "Public",  reviewer)))) 
goal  reviewer  =  substblast  reflectedGoal  reviewer 


Framework  support  Before  moving  on,  it  is  worth  summarizing  what  logical  framework  fea¬ 
tures  we  used  in  this  example.  We  used  derivability,  implemented  “by  hand”  using  dependent  de 
Bruijn  indices,  to  represent  BL0.  However,  we  required  not  just  ordinary  derivability,  but  a  modal 
version  of  entailment,  to  support  says.  We  used  admissibility  functions  to  implement  a  theorem 
prover,  to  compute  types  and  specifications  (Result  and  Postcondition),  and  to  write  the  code  that 
we  verified  using  the  authorization  logic.  We  used  types  dependent  on  derivability  functions  (the 
monad  indexed  by  propositions)  and  applications  of  admissibility  functions  (e.g.  the  computed 
postcondition)  to  make  the  link  between  code  and  specifications.  Agda  supports  all  of  this,  but 
implementing  derivability  by  hand  for  each  logic  is  tedious — even  here,  we  found  it  useful  to 
implement  a  simple  logical  framework  to  parametrize  BL0  over  terms  and  atomic  propositions. 
This  motivates  the  study  of  richer  embedded  logical  frameworks  in  Part  [II}  But  first,  we  present 
an  additional  example  of  a  domain-specific  logic,  which  illustrates  a  different  mode  of  use  of 
dependent  types. 


Chapter  4 

Semantic  Differential  Privacy 


The  example  described  in  this  chapter  was  implemented  jointly  with  Jason  Reed. 


Large  amounts  of  people’s  information  are  stored  in  databases  (medical  records,  your  Face- 
book  profile,  . . . ),  and  mechanisms  to  exploit  this  information  while  preserving  privacy  are  very 
important.  One  notion  of  database  privacy  that  has  been  studied  is  differential  privacy  (jDinur  and 
Nissim[  [2003  Dwork  and  Nissim  2004  Dwork  et  al.[  2006):  a  mechanism  is  differentially  pri¬ 
vate  if  any  conclusion  made  from  the  data  is  almost  exactly  as  likely  if  any  one  record  is  omitted 
from  the  database. 

Many  differentially  private  algorithms  rely  on  constructing  a  distance-preserving  function, 
and  then  adding  some  noise  to  it.  Distance  preservation  ensures  that  the  distance  between  outputs 
of  a  function  is  bounded  by  a  constant  factor  of  the  distance  between  the  function’s  inputs.  A 
function  is  1  -sensitive  if  it  preserves  distances  exactly,  or,  more  generally,  /c-sensitive  if  the 
output  distance  is  never  more  than  k  times  the  input  distance.  ^-sensitive  functions  can  be  made 
differentially  private  by  adding  noise  proportional  to  k.  However,  for  programming  purposes,  it 
is  necessary  to  consider  not  only  distance-preserving  functions  on  1Z,  but  on  many  other  types 
as  well:  pairs,  with  distance  given  by  the  sum  of  the  distances  of  the  components;  sets,  with 
edit  distance;  and  others.  This  can  be  formalized  by  considering  general  metric  spaces,  spaces 
equipped  with  a  notion  of  distance,  and  distance-preserving  functions  on  them. 


Reed  and  Pierce  (2010)  observed  that  the  proof  obligations  that  arise  in  showing  that  func¬ 
tions  are  distance-preserving  can  be  packaged  as  a  type  system  based  on  affine  logic.  Their 
language  is  defined  in  the  standard  syntactic  manner,  using  a  type  system  and  operational  se¬ 
mantics.  However,  this  type  system  is  incomplete,  in  the  sense  that  there  are  many  distance¬ 
preserving  functions  that  cannot  be  written  in  the  language,  and  a  somewhat  arbitrary  collection 
of  such  operations  are  taken  as  primitives  in  the  languages  design. 

We  can  use  a  dependently  typed  host  language  to  solve  this  problem.  First,  we  formalize 
the  semantic  definition  of  distance-preservation  as  the  fundamental  notion.  This  offers  a  fully 
certified  and  fully  extensible  type  of  distance-preserving  functions:  if  you  can  prove  that  a  func¬ 
tion  satisfies  the  semantic  condition,  it  is  an  element  of  the  type  of  distance-preserving  functions. 
The  affine  type  system  is  then  interpreted  as  tactics  used  to  construct  semantic  elements  more 
conveniently — it  packages  up  the  proof  obligations  in  a  convenient  way.  When  a  new  primitive  is 
necessary,  it  can  be  proved  correct  in  the  semantics  and  then  added  to  the  syntax.  This  language 
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architecture  is  similar  to  NuPRL  (Constable  et  al.,|1986|),  where  a  semantics  of  dependent  types 
is  defined  first,  and  the  syntax  consists  of  a  particular  sound  but  incomplete  collection  of  proof 
rules.  However,  in  NuPRL  the  semantics  exists  only  on  paper,  whereas  here  we  implement  the 
semantics  itself  inside  of  a  proof  assistant,  so  that  it  can  be  programmed  with  directly  when  nec¬ 
essary.  This  example  illustrates  a  different  style  of  program  verification  than  the  security-typed 
programming  example  above:  here,  dependent  types  are  used  behind  the  scenes  to  implement  a 
semantics  and  an  interesting  type  system,  but  the  programs  written  using  this  type  system  are, 
for  the  most  part,  simply-typed.  We  restrict  attention  to  differential  privacy  for  total  programs,  as 
semantic  embeddings  of  general  recursion  require  more  advanced  meta-language  features,  such 
as  partial  functions  (jCraryj,  [T998])  or  coinduction. 

In  Section|4~T|we  implement  metric  spaces;  in  Section|4~2j  we  define  an  affine  type  system  for 
distance-preserving  functions;  in  Seed  on  [43]  we  show  the  syntax  sound  relative  to  the  semantics. 


4.1  Metric  spaces 


A  metric  space  equips  a  set  with  a  notion  of  distance  between  any  two  points.  We  will  find  it  con¬ 
venient  to  represent  distance  relationally,  rather  than  functionally,  and  to  represent  an  inequality 
on  distance,  rather  than  equality.  Thus,  the  primitive  notion  we  define  is  the  relation  xl  ~  x2  ^  r, 
which  means  that  the  distance  between  xl  and  x2  is  less  than  or  equal  to  r.  If  x  and  y  are  unrelated 
for  any  r,  they  are  considered  to  be  infinitely  distant. 

A  distance  relation  on  a  set  satisfies  identity  if  any  element  is  related  to  itself  at  any  distance. 
A  distance  relation  on  a  set  satisfies  composition  if  two  distances  can  be  composed,  and  the 
distance  of  the  composition  is  less  than  the  sum  of  the  distances — i.e.  it  satisfies  the  triangle 
inequality.  A  distance  relation  satisfies  weakening  if  the  relation  respects  "less  than  or  equal  to" 
on  reals  in  the  appropriate  way. 


Identity  :  (A  :  Set)  (A  A  ->  PosReal  ->  Set)  ->  Set 
Identity  A  =  V  (x  r}  ->  x~x^r 

Composition  :  (A  :  Set)  ->  (A  ->  A  ->  PosReal  Set)  ->  Set 
Composition  A  =  V  {xl  x2  x3  rl  r2 } 

->  xl  ~  x2  ^  rl  x2  ~  x3  ^  r2 
->  xl  ~  x3  ^  (rl  +  r2) 

Weakening  :  (A  :  Set)  ->  (A  ->■  A  ->  PosReal  ->  Set)  ->  Set 

Weakening  _  =  V  {xl  x2  r  r’}  ->•  xl  ~  x2  ^  r  ->  r  ^  r'  ->•  xl  ~  x2  ^  r’ 


The  type  PosReal  represents  positive  reals,  and  the  relation  ^  represents  less-than-or-equal-to 
on  positive  reals.  At  present,  we  have  postulated  a  type  of  real  numbers  with  the  operations 
and  proofs  we  have  needed  for  this  example,  which  means  that  Agda  treats  this  type  as  a  free 
variable.  An  alternative  would  be  to  implement  the  constructive  reals  (|Bishop  1967|). 
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Using  these  definitions,  we  give  an  Agda  type  representing  a  metric  space: 

record  MetS  :  Setl  where 
constructor  met 

field 

Carrier  :  Set 

:  (xl  :  Carrier)  (x2  :  Carrier)  (r  :  PosReal)  ->  Set 
mid  :  Identity  Carrier 
_»_o_  :  Composition  Carrier 
weaken  :  Weakening  Carrier 
open  MetS  public 

A  metric  space  is  defined  as  a  record  containing  a  carrier  type,  a  distance  relation,  and  proofs 
that  the  distance  relation  satisfies  identity,  composition,  and  weakening.  MetS  is  a  type  of  level 
Setl  because  it  contains  a  Set,  the  carrier.  We  have  named  the  distance  relation 
which  allows  it  to  be  used  infix  as  in  M  >  x  ~  y  ^  r,  where  M  :  MetS.  The  last  line  opens  the 
record  type,  which  also  allows  the  field  names  to  be  used  without  the  prefix  MetS. 

For  example,  we  can  define  a  metric  space  whose  carrier  set  is  the  real  numbers,  represented 
by  a  type  Real,  and  whose  distance  is  implemented  as  usual  using  subtraction  (-)  and  absolute 
value  (|-|).  Like  PosReal,  this  type  is  a  postulate. 

reals  :  MetS 
reals  =  met  Real 

(Axyz->|x-y|  ^z) 

(^eql  ((IdM.trans  (IdM.substeq  |_|  -same)  absO))  pos)  tri  ^trans 

The  line  discharges  the  proof  obligations  necessary  for  identity,  composition,  and  weakening. 

Relative  to  the  standard  definition  of  a  metric  space,  this  definition  omits  two  conditions:  first, 
we  do  not  assume  that  distance  is  symmetric;  second,  we  do  not  assume  that  any  two  elements 
at  distance  0  are  equal.  We  will  not  need  either  of  these  properties  in  this  chapter. 

4.1.1  Distance-preserving  functions 

If  A  and  B  are  metric  spaces,  a  distance-preserving  function  from  A  to  B  is  an  underlying  function 
on  the  carriers  equipped  with  a  proof  that  it  preserves  distances,  in  the  sense  that  the  images  of 
any  two  points  are  no  further  apart  in  B  than  the  points  were  in  A. 

Pres  :  (A  B  :  MetS)  (und  :  Carrier  A  -»  Carrier  B)  ->  Set 

Pres  A  B  und  =  V  {xl  x2  r}  ->  A  S>  xl  ~  x2  ^  r  ->  B  >  und  xl  ~  und  x2  ^  r 

record  Func  (A  :  MetS)  (B  :  MetS)  :  Set  where 
constructor  func 

field 

und  :  Carrier  A  ->  Carrier  B 
pres  :  Pres  A  B  und 
open  Func  public 
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Taking  the  distance  between  two  functions  to  be  given  pointwise,  we  show  that  functions 
themselves  form  a  metric  space. 

Pointwise  :  (A  B  :  MetS)  ->■  (fg  :  Func  A  B)  (r  :  PosReal)  ->  Set 
Pointwise  _  B  f  g  r  =  V  {x}  B>  (und  f  x)  ~  (und  gx)  ^  r 

_-os_  :  MetS  ->■  MetS  ->  MetS 
A  -os  B  =  met  (Func  A  B) 

(A  f  g  r  ->  Pointwise  A  B  f  g  r) 

(mid  B) 

(A  dl  d2  ->  B  >  dl  o  d2) 

(A  {xl  x2  r  r’ }  dl  d2  A  {x}  ->•  weaken  B  dl  d2) 

Identity,  composition,  and  weakening  are  inherited  from  B. 

4.1.2  Scaling 

Given  a  metric  space,  we  can  scale  it  by  a  positive  real.  It  will  be  convenient  to  define  this  by 
division,  rather  than  multiplication;  the  proofs  of  the  properties  use  some  simple  reasoning  about 
division. 

!s  :  PosReal  ->  MetS  ->  MetS 
Is  f  A  =  met  (Carrier  A) 

(A  x  y  r  ->  A  >  x  ~  y  ^  (r  v  f)) 

(mid  A) 

(A  {xl  _  x3  rl  r2 }  dl  d2  -> 

IdM.subst  (A  r  ->  A  xl  ~  x3  ^  r)  distrib-y-f-  (A  dl  o  d2)) 

(A  d  le  ->■  weaken  A  d  (div-weaken  le)) 


4.1.3  Monoidal  products 

The  one-point  space  has  the  trivial  metric: 


ones  :  MetS 

ones  =  met  Unit  (A _ r  Unit) _ 


The  metric  on  pairs  says  that  d  ((x,  y),  (x',y’))  =  d  (x, x’)  +  d  (y,  y’),  but  we  spell  this 
fact  out  relationally  (other  notions  of  0  can  be  defined  with  different  metrics  (Reed  and  Pierce 


2010)).  In  linear  logic  terms,  this  corresponds  to  multiplicative  pairs  (0),  as  the  resources  are 


split  between  the  components. 
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record  (8) Met  {A  :  MetS}{B  :  MetS} 

(x  :  Carrier  A  x  Carrier  B)  (y  :  Carrier  A  x  Carrier  B)  (r  :  PosReal)  :  Set  where 
constructor  (8) met 

field 

rl  :  PosReal 
r2  :  PosReal 

51  :  A  (fst  x)  ~  (fst  y)  ^  rl 

52  :  B  S>  (snd  x)  ~  (snd  y)  ^  r2 
i  :  Id  (rl  +  r2)  r 

open  (8) Met  public 

Next,  we  define  a  metric  space  with  this  distance  metric.  The  proofs  follow  from  the  correspond¬ 
ing  properties  for  A  and  B,  with  some  massaging. 

_(8>s_  :  MetS  ->  MetS  -»  MetS 
A  (8>s  B  =  met  (Carrier  A  x  Carrier  B) 

(<8> Met  {A}  { B}) 

(A  {x  r}  ->  (8) met  0  -0  r  (mid  A)  (mid  B)  +unit) 

(A  {xl  x2  x3  x4  x5}  ->  comp  { xl }  {x2}  {x3}  {x4}  {x5}) 

(A  {p  q  r  r’}  x  le  -> 

(8) met  (rl  x)  (r2  x  +  gap  le)  (51  x)  (weaken  B  (52  x)  (positivity  Refl)) 

(IdM.trans 

(IdM.trans  -l-lassoc  (IdM.substeq  (Ax  ->  x  +  gap  le)  (t  x))) 

(ungap  le))) 

where 

comp  :  Composition  _  ®Met 

comp  (<8) met _ d  1  d2  Refl)  (<8>met _ d3  d4  Refl)  = 

(8>met _ (A  3>  dl  o  d3)  (B  S>  d2  o  d4)  assoc/comm4 

At  this  point,  we  could  define  additive  binary  pairs  as  well,  but  they  will  be  a  special  case  of 
what  we  define  next. 

4.1.4  Large  products  and  sums 

It  turns  out  that  it  is  quite  simple  to  define  product  and  sum  metric  spaces  over  any  Agda  set.  For 
II,  the  carrier  is  an  Agda  dependent  function  space,  and  the  distance  is  given  pointwise,  just  as 
with  -o. 

TTs  :  (A  :  Set)  -»  (A  ->  MetS)  ->  MetS 
risAB  =  met  ((x  :  A)  ->  Carrier  (B  x)) 

(A  f  g  r  ->  (x  :  A)  ->  (Bx)>fx~gx^r) 

(Ax  ->  mid  (B  x)) 

(A  dl  d2  x  ->  (B  x)  S>  (dl  x)  o  (d2  x)) 

(A  d  r  x  ->  weaken  (B  x)  (d  x)  r) 
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For  SAB,  the  carrier  is  an  Agda  dependent  pair  of  an  element  x  of  A  and  an  element  of  the 
carrier  of  B  x.  The  distance  metric  asks  the  A  components  to  be  equal  and  the  B  components  to 
be  the  appropriate  distance  apart.  However,  because  the  types  of  the  B  components  refer  to  the 
A  components,  it  is  necessary  to  choose  one  instance  at  which  to  make  the  comparison  (in  this 
case,  fst  p2)  and  coerce  the  other  second  component  using  the  equality  proof. 

Ss  :  (A  :  Set)  ->  (A  ->  MetS)  ->  MetS 
Ss  A  B  =  met  carrier 
mets 

(A  {x}  ->  (Refl,  mid  (B  (fst  x)))) 

(A  {xl}  {x2}  {x3}  {x4}  {x5}  ->  comp  {xl}  {x2}  {x3}  {x4}  {x5}) 

(A  {xl}  {x2}  {r}  {r’}  ->  wkn  {xl}  {x2}  {r}  {r'}) 

where 

carrier  =  S  A  (x  :  A)  ->•  Carrier  (B  x) 
mets  =  (A  pi  p2  r  -> 

S  A  (cl  :  Id  (fst  pi)  (fst  p2)) 

->  (B  (fst  p2)  IdM.subst  (Ax  ->  Carrier  (B  x))  cl  (snd  pi) 

rs j  snd  p2  ^0) 

comp  :  Composition  carrier  mets 

comp  {x,yl}  {.x,y2}  {.x,y3}  {rl}  {r2}  (Refl.  pi)  (Refl.  p2)  = 

Refl.  (B  x)  S>  pi  o  p2 

wkn  :  Weakening  carrier  mets 

wkn  {x, yl}  {.x, y2}  {r}  {r'}  (Refl,  p)  It  =  Refl.  weaken  (B  x)  p  It 

£  takes  a  function  A  ->  Set  to  a  Set,  which  explains  the  funny  notation.  Intentional  equality  is 
represented  by  the  type  Id,  where  IdM.subst  gives  the  usual  substitution  eliminator.  The  proofs 
pattern-match  in  the  input  equations,  which  allows  the  goal  equations  to  be  filled  in  by  Refl, 
which  in  turn  simplifies  the  obligation  for  the  second  component. 

4.2  Syntax 

4.2.1  Types 


data  Ty  :  Set 

where 

-o  :  Ty 

->  Ty  -> 

Ty 

(8)  :  Ty 

->  Ty  -> 

Ty 

T  :  Ty 

!  :  PosReal 

->  Ty  -> 

Ty 

real  :  Ty 

‘n  :  (A  :  U)  ->  (El  A  -»•  Ty)  ->  Ty 
‘£  :  (A  :  U)  ->  (El  A  ->  Ty)  -»•  Ty 

The  first  part  of  the  syntax  of  types  is  unsurprising,  consisting  of  constructors  for  functions, 
monoidal  products,  scaling,  and  real  numbers. 
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Next,  we  exploit  the  fact  that  we  are  defining  this  language  inside  of  a  dependently  typed 
meta-language  by  enriching  the  language  with  a  simple  form  of  dependent  types.  In  particular, 
we  consider  only  dependency  on  sets  (which  can  also  be  thought  of  as  discrete  metric  spaces). 
This  allows  us  to  avoid  the  question  of  what  a  type  dependent  on  a  metric  space  means  (though 
we  will  return  to  a  similar  issue  in  Part  [111]),  as  the  domain  of  dependent  functions  and  pairs  is 
discrete.  The  simplest  type  for  these  constructors  would  be 


‘ITS  :  (A  :  Set)  ->  (A  ->  Ty)  ->  Ty 


That  is,  ‘II  takes  a  set,  and  a  function  that  picks  out  a  Ty  for  every  element  of  A,  and  gives 
back  a  Ty.  The  function  here  is  an  admissibility:  the  body  of  the  ‘II  can  be  defined  by  case- 
analysis  or  recursion  on  the  element  of  A,  which  we  will  exploit  below. 

However,  for  technical  reasons,  it  is  preferable  to  replace  Set  with  a  universe  U,  which  is 
itself  a  Set.  U  is  populated  by  "codes"  for  sets,  and  equipped  with  an  elimination  that  decodes 
each  code  as  a  set: 


data  U  :  Set  where 

lIuXu  :  (A  :  U)  -+  (El  A  -+  U)  -+  U 
_V_  :  (A  B  :  U)  -»•  U 
T  _L  :  U 

nat  :  U 
bool  :  U 
list  :  U  ->  U 

El  :  U  -»•  Set 

El  (IIu  A  B)  =  (x  :  El  A)  -+  El  (B  x) 

El  (Eu  A  B)  =  £  A  (x  :  El  A)  -+  El  (B  x) 

El  (A  V  B)  =  Either  (El  A)  (El  B) 

El  T  =  Unit 
El  ±  =  Void 
El  nat  =  Nat 
El  bool  =  Bool 
El  (list  A)  =  List  (El  A) 


Here,  we  define  a  simple  universe  consisting  of  dependent  functions  and  products,  disjoint  sums, 
natural  numbers,  booleans,  and  lists.  The  decoding  function  El  recursively  computes  a  Set  from 
each  code.  Because  of  the  dependent  types,  it  is  necessary  to  define  U  and  El  simultaneously, 
using  induction-recursion  (|'Dybjer[  [2000),  because  the  body  of  a  IIu  code  is  an  admissibility 
function  into  codes. 

There  are  two  reasons  to  use  U  instead  of  abstracting  over  any  Set.  The  first  is  that,  because 
of  predicativity,  if  we  used  Set,  then  Ty  itself  would  be  a  Setl.  As  an  engineering  issue,  we 
had  already  done  much  of  the  development  before  adding  the  dependent  type  constructors;  and 
switching  to  a  Setl  would  have  required  rewriting  some  code.  A  more  significant  reason  is  that 
we  will  soon  define  a  datatype  indexed  by  Ty.  Though  Agda  allows  it,  the  theory  of  datatypes 
indexed  non-uniformly  by  Setl’s  has  not  been  studied,  and  while  no  problems  are  known,  the 
universe  approach  allows  us  to  play  it  safe. 
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4.2.2  Contexts 

Contexts  are  lists  of  assumptions  A  [r],  meaning  A  is  true  with  sensitivity  r.  The  sensitivity  is 
a  scaling  factor,  equivalent  to  !  r  A.  A  function  A  -o  B  internalizes  a  term  of  type  B  with  free 
variable  A  [1],  and  is  thus  said  to  be  1-sensitive.  As  a  type,  a  context  A1  [rl],  ....An  [rn]  is 
equivalent  to  (!  rl  Al)  ®  ...  ®  (!  rn  An). 

record  Item  :  Set  where 
constructor  _  [_] 
field 
ty  :  Ty 
sen  :  PosReal 
open  Item  public 

Ctx  =  List  Item 


We  will  sometimes  apply  a  function  to  the  sensitivities  in  the  context,  in  particular  scaling 
them  with  multiplication  and  division: 

mapsens  :  (PosReal  ->  PosReal)  ->  Ctx  ->  Ctx 
mapsens  f  =  ListM.map  (A  Ar  ->  ty  Ar  [f  (sen  Ar)]) 

_*c_  :  PosReal  ->  Ctx  ->  Ctx 
r  *c  T  =  mapsens  (Ax  ->  x  *  r)  T 

_ -j-c _  :  Ctx  — >  PosReal  Ctx 

T  -4-c  r  =  mapsens  (Ax  ->  xt  r)  T 

If  two  contexts  T1  and  T 2  have  the  same  types,  their  join  is  a  third  context  with  the  sum  of 
their  sensitivities: 

-Tl  ,T2  =  T3 

data  Join  :  Ctx  ->  Ctx  ->  Ctx  ->  Set  where 
Done  :  Join  []  []  [] 

Cons  :  V  {Tl  T2  T3  rl  r2  A}  -»•  Join  T 1  T2  T3 

->  Join  (A  [rl]  ::  Tl)  (A  [r2]  ::  T2)  (A  [rl  +  r2]  ::  T3) 


4.2.3  Terms 

First,  we  define  a  datatype  of  constants,  indexed  by  their  types: 

data  Const  :  Ty  -»  Set  where 

cmpswp  :  Const  (real  -o  real  -o  real  ®  real) 
rsplit  :  Const  (real  -o  real  ®  real) 

cmpswp  compares  two  real  numbers  and  puts  them  into  increasing  order;  it  is  1-sensitive.  It  is 
necessary  to  take  compare-and-swap  as  a  primitive  because  it  is  not  possible  to  give  a  general 
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1-sensitive  comparison  on  reals,  such  as  positive  :  real  -o  bool.  Consider  what  it  means  for 
such  a  function  to  preserve  distances:  given  any  two  reals  of  distance  at  most  r,  the  booleans 
it  produces  are  of  distance  at  most  r.  But  the  space  of  booleans  is  discrete,  so  two  booleans 
are  only  non-infinitely-distant  if  they  are  identical.  So  a  1-sensitive  function  must  take  e.g.  -1 
and  1,  which  are  not  infinitely  far  apart,  to  the  same  boolean.  However,  compare-and-swap  is 
1 -sensitive,  because  it  puts  the  two  numbers  into  increasing  order,  but  does  not  tell  you  whether 
it  swapped  them  or  not. 

Similarly,  rsplit  injects  its  argument  into  the  left  or  the  right  component  of  the  pair,  depending 
on  whether  it  is  positive  or  negative,  and  leaves  the  other  component  0,  but  it  does  not  tell  you 
whether  it  was  positive  or  negative. 

Next,  we  define  a  datatype  of  typed  terms  in  context — i.e.  the  typing  derivations  of  the 
language — in  Figure  |4.1|  Constants  can  be  used  at  their  stated  types  with  the  rule  const.  Hy¬ 
potheses  can  be  used  with  the  rule  var  if  they  are  assumed  at  sensitivity  greater  than  1.  This 
rule  builds  in  two  kinds  of  weakening:  first,  the  remaining  variables  in  F  may  go  unused,  and 
second,  any  remaining  sensitivity  above  1  may  be  discarded.  The  rules  lam  and  app  for  -o  are 
the  standard  rules  modified  to  track  sensitivity  in  the  following  manner:  in  the  introduction  rule, 
the  new  assumption  is  assumed  1 -sensitive;  in  the  elimination  rule,  the  sensitivities  used  in  the 
function  position  and  in  the  argument  position  are  joined.  Pair  introduction  pair  is  similar.  Pair 
elimination  letpair  says  that  (1)  if  you  can  prove  A  ®  B  from  T  and  (2)  assuming  A  and  B  with 
sensitivity  r  you  can  prove  C  from  A,  then  you  can  prove  C  using  T  scaled  by  r  and  A.  The 
reason  this  rule  is  a  bit  complicated  is  that  it  builds  in  a  use  of  the  substitution  principle,  which 
has  the  form 

If  T  h  A  and  A,  A[r\  h  C  then  (r  *  T),  A  h  C 
or,  writing  V  h  A[r\  to  mean  F  -y  r  h  A,  it  can  equivalently  be  stated  as 

If  T  h  A[r\  and  A,  A[r\  h  C  then  T,  A  h  C. 

Similarly,  the  rule  bang  for  !  introduction  could  equivalently  be  written  with  a  division  in  the 
premise,  rather  than  a  multiplication  in  the  conclusion.  The  rule  let!  for  !  elimination  builds  in  a 
substitution,  similarly  to  letpair;  here  the  s  is  the  sensitivity  from  the  substitution  principle.  The 
rules  dlam  and  dapp  use  admissibility  functions  to  inherit  the  type  from  Agda:  a  ‘FI  is  introduced 
by  giving  an  Agda  function  that  yields  a  derivation  of  T  h  B  x  for  every  element  x  of  A,  and 
eliminated  by  choosing  such  an  element.  Dually,  ‘£  is  introduced  by  such  a  choice  and  eliminated 
by  hypothesizing  the  first  component  of  the  pair,  using  an  admissibility  function,  and  the  second 
component,  using  a  derivability  assumption,  dletpair  also  manipulates  the  sensitivities  in  the 
same  way  as  the  substitution  principle. 

4.2.4  Derived  forms 

As  a  simple  example,  we  show  that  binary  additives  (©  and  &)  are  definable  using  ‘£  and  ‘II. 
First,  we  define  if  for  booleans: 

if_then_else  :  {C  :  Set}  ->  Bool  ->  C  ->  C  ->  C 
if  True  then  x  else  y  =  x 
if  False  then  x  else  y  =  y 
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data  _b_  :  Ctx  ->  Ty  -»•  Set  where 
const  :  V  (T  A} 

->  Const  A 

-*•  r  b  a 

var  :  V  {T  A  r} 

->  (A  [r])  G  T  ->  1  0  ^  r 

->  r  b  a 

lam  :  V  {T  A  B} 

->  (A  [1  -0]  ::  T  b  B) 

-*•  T  b  A  -o  B 

app  :  V  {n  T2  T3  A  B} 

-»•  ribA-oB  -»•  T2bA  ->  Joinnr2r3 
-»•  T3  b  B 

0  :  v{r} 

->  rbi 

pair  :  V  {Tl  T2  T3  A  B} 

^ribA^r2bB->  Join  n  T2  T3 
— ■»  T3  b  A  <S>  B 
letpair  :  V{T  A  B  C  A  rT'} 

->  rb  A®  B  ->  (A  [r])  ::  (B  [r])  ::  A  b  C  ->  Join  (r  *c  T)  A  T’ 

->  T’  b  C 

bang  :  V  {T  A  r} 

->  r  b  a 

->  (r  *c  T)  b  !  r  A 
let!  :  V{nr2r3ACrs} 

-»•  Tl  b  !  r  A  -*•  (A  [r  *  s]  ::  T2)  b  C  ->  Join  (s  *c  Tl)  T2  T3 
-*•  T3bC 

dlam  :  V{T  A  B} 

-*•  ((x  :  El  A)  ->  T  b  (B  x)) 

->  r  b‘n  a  b 

dapp  :  V  (T  A  B } 

->  T  b‘II  A  B  ->  (t  :  El  A) 

->  rb(Bt) 

dpair  :  V  {T  A  B} 

->  (t  :  El  A)  ->  T  b  (B  t) 

-*•  TbEAB 

dletpair  :  V  {r  Tl  T2  T3  A  B  C} 

-»•  n  b‘S  A  B  ->  ((x  :  El  A)  -*•  ((B  x)  [r]  ::  T2)  b  C)  -*•  Join  (r  *c  Tl)  T2  T3 
T3  b  C 


Figure  4.1:  Typing  rules  for  differential  privacy 
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Next,  sums  are  encoded  as  usual  in  dependent  type  theory:  as  a  boolean  tag  bit,  followed  by 
an  element  of  either  A  or  B,  depending  on  whether  the  tag  bit  is  true  for  false: 

_©_  :  Ty  ->  Ty  ->  Ty 
A  ©  B  =  ‘S  bool  (A  b  ->  if  b  then  A  else  B) 

The  intro  rules  simply  tag  the  term  with  the  appropriate  bit: 

ini  :  V  {T  A  B}  ->  ThA  -»•  T  h  (A  ©  B) 

ini  e  =  dpair  True  e 

inr  :  V  {T  A  B}  -»•  T  h  B  ->  T  h  (A  ©  B) 

inr  e  =  dpair  False  e 

while  the  elimination  rule  checks  the  tag  and  defers  to  the  appropriate  branch: 

case  :  V  {T1  T2  T3  A  B  C  r} 

->  n  h  (A  ©  B) 

->  (A  [r]  ::  T2)  h  C  ->  (B  [r]  ::  T2)  h  C 
->  Join  (r  *c  Tl)  T2T3 
-*•  T3FC 

case  { Tl }  { T2 }  { T3 }  {A}  { B }  { C }  { r }  e  el  e2  =  dletpair  e  b  where 
b  :  (x  :  Bool)  ->  (if  x  then  A  else  B)  [r]  ::  T2  h  C 
b  True  =  el 
b  False  =  e2 


4.3  Soundness 

4.3.1  Combinators 

Instead  of  translating  to  metric  spaces  directly,  we  give  a  syntax  that  is  closer  to  the  metric 
spaces,  and  use  that  as  an  intermediary.  The  reason  for  this  is  technical:  the  translation  of  a 
natural  deduction  rule  typically  involves  several  of  the  primitive  operations  on  the  corresponding 
metric  spaces — e.g.  because  the  natural  deduction  rule  plumbs  the  context  through  each  rule.  For 
example,  we  may  have  to  apply  an  operation  that  reassociates  the  context,  which  is  represented 
as  tuple  using  ©: 

lassoc  :  V  {A  B  C}  -»  (A  ©  (B  ©  C))  =>•  ((A  ©  B)  ©  C) 

However,  when  this  rule  is  phrased  in  terms  of  the  semantics,  it  is  difficult  for  Agda  to  figure  out 
the  implicit  arguments,  because  ©s  is  not  treated  as  injective.  On  the  other  hand,  when  this  rule 
is  phrased  in  terms  of  the  syntax,  ©  is  a  datatype  constructor  and  therefore  injective.  Thus,  we 
can  simplify  the  syntax  of  the  translation  considerably  by  going  through  this  intermediate  step, 
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so  that  when  we  are  composing  together  these  combinators,  the  implicit  arguments  are  filled  in 
automatically. 

The  combinators  are  defined  as  follows: 

data  :  Ty  ->  Ty  ->  Set  where 

:  V  {A}  ->  Const  A  ->  T  A 
id  :  V  { A}  ^  A  A 

_ o :  V  {A  B  C}  -»•  B  C  ^  A  B  ^  A  C 

abs  :  V  {A  B  C}  -»•  (A  g  B)  ^  C  A^(B-oC) 

eval  :  V  {A  B}  ->  ((A  -o  B)  0  A)  ^  B 

wk  :  V  {A  B  C}  -»•  B  =>  C  ->  (A  g  B)  =>  C 

_gm_  :  V  {A  B  C  D}  ->  A=^B  ->  C  D  ->  A  g  C  B  g  D 

tw  :  V  {A  B}  ->  (A  g  B)  (B  g  A) 

one<5  :  V  {A}  -»  A  =>•  (A  g‘l) 

onei  :  V  {A}  ->  A  =gl 

rassoc  :  V  {A  B  C}  ->  ((A  g  B)  g  C)  =»  (A  g  (B  g  C)) 

lassoc  :  V  (A  B  C}  -»  (A  (g)  (B  (g)  C))  =>-  ((A  g  B)  g  C) 

dabs  :  V  {T  A  B}  ->  ((x  :  El  A)  -»•  T^Bx)  -»•  T  =VII  A  B 

dapp  :  V  {A  B}  ->  (t  :  El  A)  ->  ‘II  A  B  =>•  B  t 

dpair  :  V  {A  B}  ->  (t  :  El  A)  ->  B  t  A  B 

dsplit  :  V  { A  B  C }  ->  ((x  :  El  A)  -»•  Bx^C)  ^‘EAB^C 

rassocE  :  V  {A  B  C}  -»•  ((‘E  A  B)  <g)  C)  =>■  (‘E  A  (A  x  ->  B  x  g)  C)) 

lassocE  :  V  { A  B  C}  ->  (‘E  A  (A  x  ->  Bx®C))^  ((‘E  A  B)  g  C) 

!i  :  V  {A  r}  ->  r  ^  1  -0  ->  A  =>•  !  r  A 

!e  :  V  {A  r}  ->  l-0^r  ->  !  r  A  A 

Isplit  :  V  {A  r  s}  ->  (!  (r  +  s)  A)  =>•  ((!  r  A)  g  (!  s  A)) 

M2  :  V  {A  r}  ->  T  =>  A  -*•  T  =>  !  r  A 
If:  V{A  B  r}  ->  A  B  ->  !  r  A  =^-  !  r  B 
Ico  :  V  {A  s  r}  ->  !  r  (!  s  A)  =>•  !  (s  *  r)  A 

Icoi  :  V  {A  s  r}  ->  !  (s  *  r)  A  =>-  !  r  (!  s  A) 

!gd  :  V  {A  B  r}  -»•  !  r  (A  g  B)  4  (!  r  A)  g  (!  r  B) 

Igdi  :  V  {A  B  r}  ->  (!  r  A)  g  (!  r  B)  =>  !  r  (A  g  B) 

!Ed  :  V  {A  B  r}  -»•  !  r  (‘E  A  B)  =gE  A  (A  x  -*•  !  r  (B  x)) 

!Edi  :  V  {A  B  r}  ->  ‘E  A  (A  x  -»•  !r(Bx))=>  !  r(‘EAB) 

From  these  we  can  derive  weakening  (on  the  right)  and  interchange: 

wk’  :  V  (A  B  C}  ->  B^C  -*•  (BgA)^C 

wk'  f  =  wk  f  o  tw 

intch  :  V  {A  B  C  D}  ->  ((A  g  B)  g  (C  g  D))  =>•  ((A  g  C)  g  (B  g  D)) 

intch  =  lassoc  o  (id  gm  (rassoc  o  (tw  gm  id)  o  lassoc))  o  rassoc 


4.3.2  Source  to  combinators 

First,  we  define  the  interpretation  of  a  context  as  a  type,  as  discussed  above. 
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[Jet  :  Ctx  ->  Ty 
[  A  [r]  ::  r  ]ct  =  [  T  ]ct  ®  (!  r  A) 

E  []  let  =‘i 

Next,  we  prove  two  lemmas  about  contexts.  First,  the  meta-operation  of  multiplying  by  a 
sensitive  has  the  same  effect  as  !  (we  need  only  one  direction).  Second,  the  join  of  two  contexts 
is  the  same  as  their  tensor  (but  again  we  only  need  one  direction): 

ctx!  :  V  (T  r}  ->  [  r  *c  V  Jet  !  r  [  V  Jet 
ctx!  {  []  }  =  !i2  id 

ctx!  { B  [s]  ::  T}  =  !®di  o  (ctx!  { T }  ®m  !coi) 

join-lemma  :  V  (Tl  T2  T}  -»•  Join  T1T2T  -»•  [  T  ]ct  =>  ([  T1  Jet  ®  [  T2  Jet) 
join-lemma  Done  =  one<5 

join-lemma  (Cons  j)  =  intch  o  (join-lemma  j  ®m  Isplit) 

Next,  we  interpret  variables  as  a  series  of  weakenings  around  a  use  of  !e: 

varf  :  V  (T  A  r}  ->  (A  [r])  G  T  ->  1  -0  ^  r  ->  [[  T  Jet  A 

varf  iO  le  =  wk  (!e  le) 

varf  {  B  [r]  ::  T}  (iS  y)  le  =  wk'  (varf  y  le) 

Finally,  the  translation  to  combinators  is  an  exercise  in  programming  by  type-checking.  We 
recommend  reading  this  in  the  companion  code  in  Agda,  so  that  you  can  investigate  the  types  of 
each  clause. 


[Ji  :  v{r A}  ->  ri-A  ->  [rjct=4>A 

[  var  i  le  ] !  =  varf  i  le 

[  const  c  ] !  =  =^c  c  o  onei 

[  lam  e  ] x  =  abs  ([  e  ]i  o  (id  ®m  !i  ^refl)) 

[appee’jji  =  eval  o  ([  e  ]i  ®m  [  e’  ]i)  o  join-lemma  j 

[  (>  ]i  =  onei 

[pairee’jji  =  ([  e  ]i  ®m  [  e’  Jx)  o  join-lemma  j 
[  letpair  { T }  e  e’  j  Jx  =  (([  e’  o  lassoc)  otwo  (tw  ®m  id))  o 

(((!<S>d  o  !f  [  e  ] i)  o  ctx!  { T  })  (gim  id)  o  join-lemma  j 
[  bang  {r}  x  ]x  =  !f  [x  ]i  o  ctx!  {T} 

[  let!  {ri}  e  e’  j  ]i  =  [  e'  ]i  o  (id  ®m  (!co  o  (!f  [  e  ]i)  o  ctx!  { Tl }))  o  tw  o  join-lemma  j 
[dlameji  =  dabs  (A  x  ->  [exji) 

[  dapp  e  t  h  =  dapp  t  o  [  e  h 
[dpairteji  =  (dpairt)  o  [  e  h 

[  dletpair  { r}  (Tl }  {T2}  {T3}  el  e2  j  ]i  =  dsplit  (A  x  ->  [e2x]i  otw) 
o  ((rassocS)  o  (!Sd  ®m  id)) 

o  (!f  [  el  ]i  o  ctx!  { r  1 }  ®m  id  {  [  T2  Jet})  o  join-lemma  j 
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4.3.3  Combinators  to  metric  spaces 

First,  we  interpret  types  using  the  corresponding  metric  space  constructors: 


LI  :  Ty 

->  MetS 

[A-oB] 

=  [  A  ]  -os  [  B  ] 

[A®  B] 

=  [  A  j  ®s  [  B  ] 

[  real  ]  = 

reals 

[  !  rA] 

=  !sr  [  A] 

[‘1  ]  =  ones 

rn  a  b  ] 

=  ns  (El  A)  (Ax  -> 

[Bx]) 

[‘SAB] 

=  Ss  (El  A)  (Ax  -*• 

[Bx]) 

]c  :  Ctx  ->  MetS 

[r]c  = 

[r]ct] 

We  also  compose  this  with  the  type  interpretation  of  contexts. 

The  interpretation  of  combinators  as  metric  spaces  has  the  following  type: 

| _ ]  2  :  V{AB}  -  A^B  -  Func  [  A  ]  [B] 

A  combinator  term  from  A  to  B  is  interpreted  as  a  distance-preserving  function  from  [  A  ] 
to  [  B  ].  The  implementation  is  about  90  lines  of  code,  which  we  excerpt  briefly  here.  The 
underlying  functions  are  what  one  would  expect  if  you  ignore  the  metrics  and  read  the  types  of 
the  combinators  intuitionistically.  The  proofs  of  distance-preservation  are  not  difficult,  but  they 
do  involve  a  bit  of  arithmetic  and  equality  manipulation.  The  case  for  eval  is  typical: 

[  eval  {  A}  { B}  ]2  =  record  { 

und  =  A  fa  ->  und  (fst  fa)  (snd  fa); 
pres  =  (A  {  fa  1  fa 2  r}  d  -> 

IdM.subst  (A  z  ->  [  B  ]  ^>  und  (fst  fal)  (snd  fal)  ~  und  (fst  fa2)  (snd  fa2)  ^  z) 
(+twist  (t  d)) 

([  B  ]  >  pres  (fst  fal)  (52  d)  o  (51  d)))} 

The  underlying  function  is  given  by  function  application.  The  proof  of  distance  preservation 
uses  (1)  the  distance  between  the  two  functions  on  any  single  argument  (51  d),  (2)  the  distance 
between  the  arguments  (52  d),  (3)  distance  preservation  for  (fst  fal),  and  (4)  an  equality  coercion 
using  a  proof  that  addition  is  commutative  (+twist). 

Primitives,  like  cmpswp,  are  interpreted  by  implementing  the  desired  function  on  the  carrier — 
in  this  part  of  the  semantics,  one  is  free  to  use  boolean-valued  less-than,  etc. — and  then  doing 
the  arithmetic  to  prove  the  implementation  preserves  distances. 

Finally,  we  tie  it  all  together  by  composition: 


I _ ]  12  :  V{rA}  -  TFA  -  Func  [  T  ]c  [  A  ] 

[e]l2  =  [  [  e  ]  1  ]  2 


4.4.  EXAMPLES 
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4.4  Examples 

First,  we  need  a  type  of  lists: 
rlist  :  Ty 

nil  :  V  { r }  ->•  r  h  rlist 

cons  :  V{r}  ->•  T  h  (real  -o  rlist  -o  rlist) 

listrec  :  V{rnr2r3C}  ->  T1  h  rlist 

->  T2FC 

->  (real  [r]  ::  C  [r]  ::  T2  h  C) 

->  Join  (r*cri)  T2T3 
-»•  T3  h  C 


This  type  can  either  be  added  to  the  language  and  its  semantics,  or  implemented  using  S-types 
and  recursion  as  ‘£  nat  (An  ->  vec  n  real)  where  vec  0  A  =  ‘1  and  vec  (S  n)  A  = 
A  0  vec  A  n. 

As  an  example,  we  implement  a  function  to  insert  a  real  number  in  order  into  a  list  of  real 
numbers,  which  is  assumed  to  be  sorted  in  increasing  order.  The  type  system  proves  that  this 
function  is  1-sensitive;  Reed  and  Pierce i(j2010j)  use  this  function  to  define  insertion  sort,  which 
shows  that  sorting  can  be  used  in  a  1 -sensitive  function.  In  concrete  syntax,  insert  is  implemented 
as  follows: 


insert  :  rlist  -o  real  -o  rlist 
insert  =  A  I  -> 
listrec  I  of 

|]  ->  Anew  ->  (cons  new  []) 
x  ::  r  A  new  -> 

let  (smaller,  bigger)  =  cmpswap  x  new  in  smaller  ::  r  bigger 

insert  is  1-sensitive  because  it  uses  variables  linearly,  and  relies  on  only  one  primitive,  cmpswap, 
which  is  proved  sound  in  the  semantics. 

To  use  Agda  as  a  type  checker  for  this  term,  we  must  first  translate  the  concrete  syntax  into 
abstract  syntax,  and  the  variables  into  de  Bruijn  form: 

insert  :  []  h  rlist  -o  real  -o  rlist 
insert  = 

lam  (listrec  (var  iO  ^refl) 

(lam  (app  (app  cons  (var  iO  ^refl)  ?)  nil  ?)) 

(lam  (letpair  (app  (app  (const  cmpswp)  (var  iO  ^  ref  I)  ?)  (var  (iS  iO)  ^  ref  I)  ?) 

((app  (app  cons  (var  (iS  iO)  ^  ref  I)  ?) 

(app  (var  (iS  (iS  (iS  (iS  iO))))  ^refl)  (var  iO  ^refl)  ?)  ?))  ?))  ?) 

Next,  we  must  annotate  each  rule  with  more  than  one  premise  with  a  proof  of  Join,  which 
shows  how  to  split  the  context: 
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insert  :  []  b  rlist  -o  real  -o  rlist 
insert  =  lam  (listrec  (var  iO  ^ ref I) 

(lam  (app  (app  cons 
(var  iO  ^refl) 

(Cons’  right  (Cons'  nw  Done))) 
nil  (Cons’  left  (Cons'  nw  Done)))) 

(lam  (letpair  (app  (app  (const  cmpswp) 

(var  iO  ^refl) 

(Cons’  right  (Cons’  nw  (Cons'  nw  (Cons’  nw  Done))))) 

(var  (iS  iO)  ^ ref I) 

(Cons’  left  (Cons’  right  (Cons’  nw  (Cons’  nw  Done))))) 

((app  (app  cons 

(var  (iS  iO)  ^refl) 

(Cons'  nw  (Cons’  right  (Cons’  nw  (Cons’  nw  (Cons’  nw  (Cons'  nw  Done))))))) 
(app  (var  (iS  (iS  (iS  (iS  iO))))  ^refl) 

(var  iO  ^refl) 

(Cons'  right  (Cons'  nw  (Cons’  nw  (Cons’  nw  (Cons’  left  (Cons’  nw  Done))))))) 
(Cons’  right  (Cons’  left  (Cons’  nw  (Cons’  nw  (Cons'  right  (Cons’  nw  Done)))))))) 
(Cons’  leftl  (Cons’  leftl  (Cons’  rightl  (Cons’  nwl  Done)))))) 

(Cons’  leftl  Done)) 

In  this  code,  we  never  split  a  sensitivity:  when  splitting  a  variable  A  [r],  we  assume  A  [r] 
in  one  branch  and  A  [0]  in  the  other.  Thus,  the  proofs  of  Join  rely  on  only  a  simple  collection 
of  arithmetic  proofs,  corresponding  to  whether  the  variable  goes  into  the  left  branch,  the  right 
branch,  or  nowhere  (for  variables  whose  sensitivity  is  already  0).  To  give  these  directions,  we 
use  left  :  Id  (1  +  0)  1  and  right  :  Id  (0  +  1)  1  and  nw  :  Id  (0  +  0)  0.  leftl,  rightl,  and 

nwl  additionally  cancel  a  multiplication  by  1,  which  arises  in  elimination  rules  that  choose  an 

arbitrary  sensitivity  for  the  cut  formula.  We  also  use  a  derived  version  of  Cons,  which  abstracts 
the  constraint  that  the  result  sensitivity  is  the  sum  of  the  two  inputs  into  an  equality  premise: 

Cons’  :  V  { T1  T2  T3  rl  r2  r3  A}  ->  Id  (rl  +  r2)  r3  ->  Join  T1  T2  T3 

->  Join  (A  [rl]  ::  T 1)  (A  [r2]  ::  T2)  (A  [r3]  ::  T3) 

Cons’  Refl  p  =  Cons  p 


4.5  Discussion 


In  this  chapter,  we  have  an  implemented  an  semantic  approach  to  a  programming  language  for 
differential  privacy:  we  implemented  metric  spaces  and  distance  preserving  functions  and  mech¬ 
anized  the  translation  from  Reed  and  Pierce  (2010|)’s  linear- logic-based  type  system  into  this 
semantics.  The  resulting  language  is  easily  extensible  by  new  primitives,  if  they  can  be  proved 
sound  semantically.  The  operational  behavior  of  programs  is  inherited  from  the  host  language: 
the  semantics  also  functions  as  a  compiler  from  the  affine  system  to  Agda.  We  are  currently  in 


the  process  of  extending  this  code  with  more  type  constructors,  such  as  Reed  and  Pierce  (2010)’s 


4.5.  DISCUSSION 
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monad  of  probabilistic  computations,  and  primitives.  We  hope  to  be  able  to  verify  the  solution  to 
Netflix’s  privacy  bug,  where  they  released  anonymized  movie  rental  records  that  could  nonethe¬ 


less  be  correlated  with  other  databases,  such  as  IMDB  (McSherry  and  Mironov  2009,  Narayanan 
and  Shmatikovl  12008b. 


What  tools  have  we  used  in  this  implementation?  First,  we  exploited  admissibility  functions 
from  the  meta-language  in  a  crucial  way:  a  distance-preserving  function  is  a  function  equipped 
with  a  proof  that  it  preserves  distances.  This  requires  dependency  on  admissibility  functions 
as  well:  this  example  would  not  be  possible  in  Twelf,  Delphin,  or  Beluga,  which  either  do 
not  have  a  type  of  admissibility  functions,  or  do  not  allow  dependency  on  them.  Second,  we 
exploited  the  fact  that  we  were  working  in  a  dependently  typed  host  language  to  add  dependent 
types  (over  sets)  to  the  language.  Thus  far,  we  have  used  these  dependent  types  as  generalized 
additives,  though  we  could  also  explore  using  them  for  expressing,  e.g.,  data  structure  invariants 
in  differentially  private  code.  Because  of  n  and  Z,  the  definition  of  the  syntax/typing  derivations 
of  the  language  uses  a  mix  of  admissibility  and  derivability:  e.g.  the  premise  of  dletpair  binds 
two  assumptions,  one  admissibility  and  the  other  derivability.  We  explore  such  mixed  definitions 
in  Part  HIl 

It  is  possible,  if  tedious,  to  verify  programs  by  writing  them  directly  as  an  element  of  the 
source  language  datatype.  Agda’s  implicit  argument  mechanism  can  already  be  used  to  infer 
types  and  contexts,  but  the  representation  is  cluttered  by  (a)  the  de  Bruijn  representation  of  vari¬ 
ables  and  (b)  the  context  splitting  annotations  necessary  for  the  affine  logic.  We  speculate  on  a 
solution  to  (a)  below;  for  the  latter,  we  could  implement  resource  inference ,  to  infer  the  Join  an¬ 
notations,  analogously  to  the  theorem  prover  in  the  previous  chapter.  Given  these  improvements, 
writing  elements  in  the  Agda  datatype  of  well-typed  terms  would  be  quite  close  to  the  desired 
concrete  syntax. 


Categorical  Interpretation  Another  reason  we  have  presented  this  example  is  that  it  fore¬ 


shadows  the  categorical  interpretation  of  type  theory  that  we  present  in  Part  III  The  type  MetS 
of  metric  spaces  is  in  fact  the  specification  of  an  enriched  category,  with  the  Carrier  being  the 
set  of  objects,  and  the  distance  relation  the  set  of  morphisms  (enriched  by  distance).  Distance¬ 
preserving  functions  are  analogous  to  functors.  The  description  of  the  various  type  constructors 
has  a  similar  feel  to  construction  of  a  Cartesian  closed  structure  in  Cat.  The  fact  that  we  have 
not  required  distance  to  be  symmetric  foreshadows  the  directed  type  theory  described  below. 
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Part  II 

Mixing  Derivability  and  Admissibility 
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Chapter  5 

An  Embedded  Logical  Framework 


The  research  described  in  this  chapter  was  conducted  jointly  with  Robert  Harper,  and  published 
in  ICFP  2009  ( Licata  and  Harper  2009). 


The  above  examples  motivate  providing  a  generic  implementation  of  derivability  inside  of 
MLTT.  One  option  would  be  to  implement  a  well-known  logical  framework,  such  as  LF.  How¬ 
ever,  this  would  not  account  for  inductive  definitions  that  mix  derivability  and  admissibility  as¬ 
sumptions.  Admissibility  premises  are  useful  because  they  permit  infinitely  branching  deriva¬ 
tions,  as  in  the  differential  privacy  example  above,  and  allow  certain  forms  of  side  conditions , 
such  as  negated  premises  (as  J  N  false).  Thus,  we  instead  take  the  opportunity  to  explore  a 
new  logical  framework  that  allows  such  interaction.  In  this  chapter,  we  focus  on  the  hypothet¬ 
ical  judgement,  precluding  dependency  on  assumptions.  Because  of  this  restriction  to  “non¬ 
dependent  judgements,”  our  examples  focus  on  simply-typed  programming  with  abstract  syntax. 
Our  goal  is  to  demonstrate  that 

It  is  possible  to  implement,  within  a  dependently  typed  programming  language,  a 
logical  framework  that  allows  derivability  and  admissibility  to  be  mixed  in  novel 
and  interesting  ways. 

As  we  discussed  briefly  in  Chapter[2]  the  reason  that  mixing  admissibility  and  derivability  is 
difficult  is  that  rules  with  admissibility  premises  are  not  necessarily  pure,  and,  consequently,  the 
structural  properties  do  not  necessarily  hold.  For  example,  in  logical  frameworks  such  as  LF,  it  is 
always  possible  to  weaken  a  value  of  type  J  to  L  F  J .  However,  this  is  not  necessarily  possible 
when  J  itself  is  an  admissibility.  The  reason  is  that  we  interpret  an  admissibility  in  a  derivability 
context,  $  h  (J  N  K ),  as  essentially  the  same  thing  as  an  admissibility  between  derivabilities: 
(T  h  J)  N  ('F  h  K).  Now,  suppose  we  are  given  a  function  /  of  type  'F  h  ( J  N  K ),  and  we  try 
to  weaken  this  to  a  function  of  type  (\F,  L)  F  (./  L  K).  This  requires  an  admissibility  function 
from  (\F,  L)  h  J  to  (\F,  L)  h  K.  Since  /  is  a  black  box,  we  can  only  hope  to  achieve  this  by 
pre-  and  post-composing  with  appropriate  functions.  The  post-composition  must  take  'F  h  K 
to  ty,L  h  K,  which  is  a  recursive  application  of  weakening.  However,  the  pre-composition 
has  a  contravariant  flip:  we  require  strengthening  ('F,  L)  h  ./  to  \F  h  ./in  order  to  call  /. 
Such  a  strengthening  function  does  not  in  general  exist,  because  the  derivation  of  J  might  be 
that  assumption  of  L.  Similarly,  substitution  of  terms  for  variables  is  not  necessarily  possible, 
because  substitution  requires  weakening. 
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As  a  concrete  example,  consider  a  closed  admissibility  function  of  type  •  h  (exp  N  exp), 
which  is  defined  by  case-analysis  over  closed  A-calculus  expressions,  giving  cases  for  functions 
and  applications — but  not  for  variables,  because  there  are  no  variables  in  the  empty  context. 
Weakening  such  a  function  to  type  exp  b  (exp  N  exp)  enlarges  its  domain,  asking  it  to  handle 
cases  that  it  does  not  cover.  Another  example,  which  is  particularly  stark,  is  weakening  L  b  false, 
which  refutes  the  existence  of  any  terms  of  type  L,  to  L  b  (L  b  false),  which  has  one  such  term 
to  account  for. 

Our  solution  to  this  problem  rests  on  the  observation  that  there  is  nothing  about  the  inductive 
definition  of  derivability  that  requires  the  structural  properties  to  hold.  We  saw  this  in  the  sim¬ 
ple  logical  frameworks  described  in  Section  [2]  the  identity  principle  is  taken  as  a  rule,  but  the 
remaining  structural  properties  are  proved  admissible.  Thus,  we  may  give  a  definition  of  a  frame¬ 
work  that  allows  both  admissibility  and  pre-derivability.  Pre-derivability  captures  the  notion  of  a 
scoped  assumption,  which  can  be  used  via  the  identity  principal,  but  does  not  necessarily  satisfy 
the  remaining  structural  properties.  Then,  we  analyze  circumstances  under  which  the  structural 
properties  hold,  in  which  case  pre-derivability  is  actually  derivability. 

More  concretely,  we  implement,  in  Agda,  a  logical  framework  with  two  function-like  type 
constructors,  D  (for  admissibility)  and  =>•  (for  pre-derivability).  A  D  B  classifies  Agda  func¬ 
tions,  while  D  =>■  A  classifies  values  of  type  A  with  a  free  scoped  assumption  of  type  D.  In 
some  cases,  D  =>  A  represents  a  derivability,  and  therefore  determines  a  function  given  by  sub¬ 
stitution,  but  in  some  cases  it  does  not.  However,  rather  than  leaving  it  to  the  programmer  to 
implement  the  structural  properties,  we  observe  that  they  are  in  fact  definable  generically,  not  for 
every  type  D  =>■  A,  but  under  certain  conditions  on  the  types  D  and  A.  For  example,  returning 
to  our  failed  attempt  to  weaken  A  D  B  above,  if  variables  of  type  D  could  never  appear  in  terms 
of  type  A,  then  the  required  strengthening  operation  would  exist.  As  a  rough  rule  of  thumb,  one 
can  weaken  with  types  that  do  not  appear  to  the  left  of  a  computational  arrow  in  the  type  being 
weakened,  and  similarly  for  substitution.  Our  framework  implements  the  structural  properties 
generically  but  conditionally,  providing  programmers  with  the  structural  properties  “for  free” 
in  many  cases.  We  implement  =>■  with  well-scoped  de  Bruijn  indices,  but  another  first-order 
representation  of  derivability  with  explicit  contexts  could  be  used  instead. 

Our  framework  is  implemented  as  a  universe  in  Agda  (we  saw  a  simple  example  of  a  uni¬ 
verse  in  Chapter[4]).  This  means  that  we  (a)  give  a  syntax  for  the  types  of  the  framework  and  (b) 
give  a  function  mapping  the  types  of  our  language  to  certain  Agda  types;  the  programs  of  the 
framework  are  then  the  Agda  programs  of  those  types.  This  implementation  strategy  allows  us 
to  reuse  the  considerable  implementation  effort  that  has  gone  into  Agda,  and  to  exploit  generic 
programming  within  dependently  typed  programming  ( Altenkirch  and  McBride)  2003 )  to  imple¬ 
ment  the  structural  properties.  Additionally,  it  permits  programs  written  using  our  framework  to 
interact  with  existing  Agda  code. 

In  particular,  we  define  a  universe  of  contextual  types,  which  permit  inference  rules  to  be 
written  in  the  local  form  discussed  in  Chapter  [2}  the  context  of  scoped  assumptions  need  not 
be  mentioned  explicitly  in  rules,  but  is  passed  in  from  the  outside.  This  often  permits  more 
concise  specifications.  Semantically,  a  type  in  the  universe  is  interpreted  as  a  function  from 
contexts  to  Agda  types.  For  example,  the  contextual  type  A®  B,  is  interpreted  as  the  function 
A'F.(T')A  x  (T)  If  where  (T)  /I  stands  for  the  interpretation  of  /I  at  T.  and  x  is  pairing  in 
Agda.  The  universe  types  are  thus  “point-free”  combinators  that  generate  functions  from  con- 
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texts  to  types,  without  mentioning  the  context  argument  explicitly.  For  example,  D  =>■  A  is 
interpreted  as  A'F.  (T,  D)  A — it  extends  the  current  context  without  mentioning  it  by  name.  That 
said,  our  framework  supplies  a  rich  enough  set  of  combinators  that  contexts  can  be  mentioned 
explicitly  when  this  is  helpful — for  example,  the  contextual  type  [\F]A  represents  a  constant  func¬ 
tion  A_.  (T)  A  which  interprets  A  relative  to  the  given  T.  ignoring  the  context  supplied  by  the 
interpretation. 

Our  framework  implements  a  variety  of  structural  properties  for  the  universe,  including  weak¬ 
ening,  substitution,  exchange,  contraction,  and  subordination-based  strengthening  ( Virga[[l999), 
all  using  a  single  generic  map  function  for  datatypes  that  mix  binding  and  computation.  The 
structural  properties’  preconditions  are  defined  computationally,  so  that  our  framework  can  dis¬ 
charge  these  conditions  automatically  in  many  cases.  This  gives  the  programmer  free  access  to 
weakening,  substitution,  etc.  (when  they  hold). 

In  Section  |5.1[  we  introduce  our  language  and  its  semantics.  In  Section  |5.2[  we  present 


examples.  We  program  a  variety  of  examples,  and  demonstrate  that  we  can  express  detailed 
invariants  about  variable  usage  in  a  program’s  type  while  still  writing  clean  and  clear  code. 
For  example,  we  implement  normalization-by-evaluation  (|Berger  and  Schwichtenbergl  1991[ 


Marti  n-L5fj  1975 )  for  the  untyped  A-calculus,  an  example  considered  in  FreshML  by  Shinwell 


et  al.  (2003).  Our  version  of  this  algorithm  makes  essential  use  of  a  datatype  mixing  binding  and 


computation,  and  our  type  system  verifies  that  evaluation  maps  closed  terms  to  closed  terms.  In 
Section |53j  we  discuss  the  structural  properties.  In  Sections  5.4,  we  discuss  related  work. 


5.1  Language  Definition 

5.1.1  Types 

The  grammar  for  the  types  of  our  language  is  as  follows: 


Defined  atoms  D 
Var.  Types  C 

Contexts  T 

Types  A 


(a  subset  of  D ) 

OK*,  co 

‘0  \‘1\  A®  B  \  A®  B  \  list  A  |  Ad  B 
D+  D  |  C#  |  T  A  |  UA 
Vc  -il). A  |  3C  'll). A  |  V^cAl  |  3s;CA 


The  language  is  parametrized  by  a  class  of  defined  atoms  D,  which  are  the  names  of  datatypes. 
A  subset  of  these  names  are  variable  types,  which  are  allowed  to  appear  in  contexts.  This  dis¬ 
tinguishes  certain  types  C  which  may  be  populated  by  variables  from  other  types  D  which  may 
not.  This  definition  of  VarType  permits  only  variables  of  base  type,  not  higher-order  rules.  Our 
approach  is  compatible  with  higher-order  rules,  as  we  show  in  Chapter  [6j  but  for  simplicity  we 
leave  them  out  of  this  Agda  implementation.  Contexts  are  lists  of  variable  types,  written  with 
’cons’  on  the  right. 

The  types  on  the  first  line  have  their  usual  meaning.  The  type  D+  D  is  the  datatype  named 
by  D.  Following  Delphin  (Poswolsky  and  Schurmann  2008 ),  we  include  a  type  C#  classifying 
only  the  variables  of  type  C.  The  type  T  =>*  A  of  pre-derivabilities  classifies  inhabitants  of 
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A  in  the  current  context  extended  with  4'.  The  type  DA  classifies  closed  inhabitants  of  A.  The 
types  Vc  and  3C  classify  universal  and  existential  context  quantification;  A  p-A  and  3<x'^  provide 
bounded  quantification  over  contexts  containing  only  the  type  C. 

Agda  implementation 

We  now  represent  these  types  in  Agda.  We  represent  defined  atoms,  variable  types  and  contexts 
as  follows: 

DefAtom  =  DefinedAtoms.Atom 
data  VarType  :  Set  where 

>  :  (D  :  DefAtom)  {_  :  Check  (DefinedAtoms. world  D)}  ->  VarType 
Vars  =  List  VarType 

DefinedAtoms.Atom  is  a  parameter  that  we  will  instantiate  later.  DefinedAtoms. world  returns 
true  when  D  is  allowed  to  appear  in  the  context;  Check  turns  this  boolean  into  a  proposition 
(Check  True  is  the  unit  type;  Check  False  is  the  empty  type;  see  Chapter[2]for  an  introduction). 
A  VarType  is  thus  a  pair  of  an  atom  along  with  the  credentials  allowing  it  to  appear  in  contexts. 
We  represent  the  syntax  of  types  in  Agda  as  follows: 


data  Type 

:  Set  where 

—  types  that  have  their  usual  meaning 

T 

Type 

Type  ->  Type  ->  Type 

‘0 

Type 

Type  ->  Type  ->  Type 

list  :  Type  ->  Type 

_D_ 

Type  ->  Type  ->  Type 

—  datatypes  and  context  manipulation 

D+ 

DefAtom  ->  Type 

_# 

VarType  ->  Type 

Vars  ->  Type  Type 

□ 

Type  ->  Type 

Vc 

(Vars  ->  Type)  ->  Type 

3c 

(Vars  ->  Type)  ->  Type 

v^ 

VarType  ->  Type  ->•  Type 

3^ 

VarType  ->  Type  ->•  Type 

The  only  subtlety  in  this  definition  is  that  we  represent  the  bodies  of  Vc  and  3c  by  admissibil¬ 
ity  functions  in  Agda.  This  choice  has  some  trade-offs:  on  the  one  hand,  it  means  that  the  bodies 
of  quantifiers  can  be  specified  by  any  Agda  computation  (e.g.  by  recursion  over  the  domain).  On 
the  other  hand,  it  makes  it  difficult  to  analyze  the  syntax  of  Types,  because  there  is  no  way  to 
inspect  the  body  of  the  quantifier.  Indeed,  this  caused  problems  for  our  implementation  of  the 
structural  properties,  which  we  solved  by  adding  certain  instances  of  the  quantifiers  (V=>-  and 
3=»,  discussed  below),  which  would  otherwise  be  derived  forms,  as  separate  Type  constructors. 
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In  future  work,  we  may  pursue  a  more  syntactic  treatment  of  the  quantifiers  (which  would  of 
course  be  easier  if  we  had  good  support  for  variable  binding  in  Agda). 

A  rule,  which  is  the  type  of  a  datatype  constructor,  pairs  the  defined  atom  being  constructed 
with  a  single  premise  type  (zero  or  many  premises  can  be  encoded  using  ‘1  and  <g>): 

data  Rule  :  Set  where 

_4=_  :  DefAtom  ->  Type  ->•  Rule 

We  will  make  use  of  a  few  derived  forms: 

•  We  write  (V=>-  A)  for  Vc  (A  \k  ->  \k  =^>*  A),  and  similarly  for  3=>.  This  type  quantifies 
over  a  context  T  and  immediately  binds  it  around  A.  Similarly,  we  write  '  \k  *  A  for 
□  (tf  =*►*  A) 

•  We  write  (C  =>  T)  for  with  a  single  premise. 

•  We  write  (C  +)  for  (D+  C)  when  C  is  a  variable  type. 

•  We  write  bool  for  ‘1  ©‘1  and  A  option  for  A  ®‘l. 

5.1.2  Semantics 

In  Figure  |5Tj  we  define  the  semantic  interpretation  of  a  Type,  a  function  <_>_  which  maps 
each  Type  to  a  function  from  contexts  to  sets.  We  write  an  application  of  this  function  as 
<  'k  >  A,  where  \k  is  a  context  and  a  A  is  a  Type.  The  first  six  cases  interpret  the  basic 
types  of  the  simply-typed  A-calculus  as  their  Agda  counterparts,  pushing  the  context  inside  to 
the  recursive  calls. 

The  next  two  cases  interpret  datatypes.  We  define  an  auxiliary  datatype  called  Data  which 
represents  all  of  the  data  types  defined  in  the  universe.  Data  is  indexed  by  a  context  and  a  defined 
atom,  with  the  idea  that  the  Agda  set  Data  \k  D  represents  the  values  of  datatype  D  in  context  T. 
There  are  two  ways  to  construct  a  datatype:  (1)  apply  a  datatype  constructor  to  an  argument  and 
(2)  choose  a  variable  from  \k.  Constants  are  declared  in  a  signature,  represented  with  a  predicate 
on  rules  InS  :  Rule  ->  Set,  where  InS  R  is  inhabited  when  the  rule  R  is  in  the  signature. 
The  first  constructor,  written  as  infix  •,  pairs  a  constant  with  the  interpretation  of  the  constant’s 
premise.  The  second  constructor,  >,  injects  a  variable  from  \k  into  Data;  the  type  of  well-scoped 
de  Bruijn  indices  _G_  was  discussed  in  Chapter[2j  A  DefAtom  D  is  in  the  context  if  there  exist 
credentials  c  for  which  the  VarType  formed  by  (>  D  { c })  is  in  the  list  T. 

Finally,  we  provide  a  collection  of  types  that  deal  with  the  context:  'k  =>*  A  extends  the 
context  (we  write  +  for  append);  □  A  clears  the  context.  The  quantifiers  Vc  and  3c  are  interpreted 
as  the  corresponding  Agda  dependent  function  and  pair  types.  Finally,  the  types  D  A  and 
3^  D  A  quantify  over  contexts  \k’  for  which  All Eq  \k’  D  holds.  The  type  All Eq  says  that 
every  variable  type  in  \k  is  equal  to  the  given  type  D  (List. all  is  true  when  its  argument  is  true 
on  all  elements  of  the  list;  eqVarType  is  a  boolean-valued  equality  function  for  variable  types). 
(We  could  internalize  All  Eq  \k’  D  as  a  type  alleq  D — given  meaning  by  <  'k  >  (alleq  D)  = 
All  Eq  \k  D — in  which  case  the  bounded  quantifier  could  expressed  as  a  derived  form,  but  we 
have  not  needed  alleq  D  in  a  positive  position  in  the  examples  we  have  coded  so  far.) 

An  Agda  datatype  is  strictly  positive  if  it  does  not  appear  to  the  left  of  an  Agda  (admissibility) 
function  type  (->•)  in  its  own  definition;  this  positivity  condition  ensures  that  the  user  does  not 
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All Eq  :  Vars  ->  VarType  ->  Set 

All  Eq  'F  D  =  Check  (ListM.all  (eqVarType  D)  'F) 

mutual 

data  Data  ('I'  :  Vars)  (D  :  DefAtom)  :  Set  where 

:  {A  :  Type}  ->  InE  (D  4=  A)  ->  <  'F  >  A  ->  Data  'F  D 
>  :  (c  :  _}  ->  (>  D  { c })  e  'I'  ->  Data  'F  D 

<_>_  :  Vars  ->  Type  ->  Set 

—  basic  types 

<  T  >T  =  Unit 

<  <F  >‘0  =  Void 

<  <F  >  (A  <g)  B)  =  (<  <F  >  A)  x  (<  <F  >  B) 

<  'F  >  (A  ®  B)  =  Either  (<  vF  >  A)  (<  vF  >  B) 

<  vF  >  (list  A)  =  List  (<  'F  >  A) 

<  f  >  (A  D  B)  =  (<  <F  >  A)  ->  (<  ^  >  B) 

—  data  types 

<  vF  >  (D+  D)  =  Data  'F  D 

<  ^  >  (D  #)  =  De$ 

—  context  manipulation 

<  'F  >  ('Fnew  =^*  A)  =  <  \F  +  'Fnew  >  A 

<  _  >  (□  A)  =  <  []  >  A 

<  vf  >  (3c  r)  =  EAf  ->  <  ^  >  (r  'F’) 

<  'F  >  (Vc  r)  =  ('F’  :  Vars)  ->  <  'F  >  (r  'F') 

<  vF  >  (V^  D  A)  =  (^’  :  Vars)  ->  All  Eq  \l>’  D  ->  <  vF  +  vF’  >  A 

<  vF  >  (3^  DA)  =  E  (A  (\F’  :  Vars)  ->  AIIEq  D  x  <  $  +  $' >  A) 


Figure  5.1:  Interpretation  of  the  universe 
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define  general  recursive  types  (e.g.  jiD.D  — >  D),  which  can  be  used  to  inhabit  any  type  and 
to  write  non-terminating  code.  The  above  type  Data  does  not  pass  the  positivity  checker:  it  is 
defined  mutually  with  <  >_,  and  <_>_  occurs  to  the  left  of  an  Agda  function  type  in  the 
meaning  of  D.  In  this  chapter,  we  wish  to  program  with  general  recursive  types,  so  we  will 
ignore  this  failure  of  positivity  checking.  An  interesting  direction  for  future  work  would  be  to 
consider  a  total  variant  of  our  framework,  which  admits  only  strictly  positive  types.  This  would 
require  a  more  refined  explanation  of  the  construction  of  the  defined  atoms  in  the  universe,  e.g. 
using  containers  (Abbott  et  al.,  2005),  because  the  positivity  of  a  defined  atom  D  depends  on  the 
rules  for  D  in  the  signature  InS. 

We  also  define  versions  of  □  and  V=>-  that  construct  Agda  Sets: 


□  :  Type  ->  Set 

□  A  =  <  []  >  A 

V^_  :  Type  ->  Set 

V^_  A  =  ('k  :  Vars)  ->  <  \l/  >  A 

The  first  is  more  concise  than  <  [  ]  >  □  A,  but  means  the  same  thing.  The  second  is  morally 
the  same  as  <  []  >  V=^  A,  but  this  expands  to  (T  :  Vars)  ->  <  T  +  []  >  A,  which  is  morally 
the  same  but  intensionally  different. 


5.1.3  Structural  Properties 


In  Figure  5.2 ,  we  present  the  type  signatures  for  the  structural  properties;  this  is  the  interface  that 
users  of  our  framework  see. 

For  example,  the  type  of  substitution  should  be  read  as  follows:  for  any  A  and  D,  if  the 
conditions  for  substitution  hold,  then  there  is  a  function  of  type  (V^  (D  =>■  A)  D  (D  +)  D  A) 
(for  any  context,  given  a  term  of  type  A  with  a  free  variable,  and  something  of  type  D  +  to  plug 
in,  there  is  a  term  of  type  A  without  the  free  variable).  Weakening  coerces  a  term  of  type  A  to  a 
term  with  an  extra  free  variable;  strengthening  does  the  reverse;  exchange  swaps  two  variables; 
contraction  substitutes  a  variable  for  a  variable.  We  also  include  an  n-ary  version  of  weakening 
for  use  with  the  bounded  quantifier:  if  A  can  be  weakened  with  D,  then  A  can  be  weakened  with 
a  whole  context  comprised  entirely  of  occurrences  of  D. 

We  discuss  the  meaning  of  the  conditions  (canSubst,  etc.)  below;  in  all  of  our  examples,  they 
will  be  discharged  automatically  by  our  implementation. 


5.2  Examples 


In  this  section,  we  illustrate  programming  in  our  framework,  adapting  a  number  of  examples  that 
have  been  considered  in  the  literature  (Pientka,  2008 ;  Poswolsky  and  Schurmann[  2008}  Shin- 
well  et  afj  2003 1.  Throughout  this  section,  we  compare  the  examples  coded  in  our  framework 
with  how  they  are/might  be  represented  in  Twelf,  Delphin,  Beluga,  FreshML,  and  “raw  Agda” 
(without  using  our  framework).  We  endeavor  to  keep  these  comparisons  objective,  focusing  on 
what  invariants  of  the  code  are  expressed,  and  what  auxiliary  functions  the  programmer  needs 
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subst  :  (A  :  Type)  {D  :  VarType} 

{_  :  Check  (canSubst  (un>  D)  A)} 

-*•  (V^  (D  =>  A)  D  (D  +)  D  A) 

weaken  :  (A  :  Type)  {D  :  VarType} 

{_  :  Check  (canWeaken  (un>  D)  A)} 

(V^  A  D  (D  =»  A)) 

strengthen  :  (A  :  Type)  { D  :  VarType} 

{_  :  Check  (canStrengthen  (un>  D)  A)} 

->  V^(D^A)dA 

exchange2  :  (A  :  Type)  (D1  D2  :  VarType} 

-*•  (V^  (D2  ^  D1  ^  A)  D  (D1  =>  D2  =>  A)) 

contract2  :  (A  :  Type)  (D  :  VarType} 

-»•  (V^  (D  =»  D  ^  A)  D  (D  =*►  A)) 

weaken*/bounded  :  (A  :  Type)  (T  :  Vars)  (D  :  VarType} 
->  (AIIEq  T  D) 

->  (canw  :  Check  (canWeaken  (un>  D)  A)} 

->  (V^Ad  (tf  A)) 


Figure  5.2:  Type  signatures  of  structural  properties 


to  define.  Several  additional  examples  are  available  in  the  companion  Agda  code,  including  a 
translation  from  A-terms  to  combinators,  a  type  checker  for  simply-typed  A-calculus  terms,  an 
evaluator  for  A-calculus  with  mutable  references  (using  variables  to  represent  locations),  and 
an  alternate  version  of  normalization-by-evaluation,  which  has  simpler  types  at  the  expense  of 
slightly  more-complicated  code. 

To  use  our  framework,  we  give  a  type  DefAtom  representing  the  necessary  datatypes  names, 
along  with  a  datatype 

data  InE  :  Rule  ->•  Set  where 

defining  the  datatype  constructors. 

We  use  the  following  naming  convention:  Defined  atoms  are  given  names  that  end  in  A.  For 
types  of  variables,  we  define  atomC  to  be  atomfK  injected  into  VarType.  Finally,  we  define  atom 
to  be  the  Type  constructed  by  D+atomA.  E.g.  for  a  type  of  expressions  exp,  we  will  make  the 
following  definitions: 

expA  :  DefAtom 
expC  =  >  arithA 
exp  =  D+  natA 
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5.2.1  Evaluating  Arithmetic  Expressions 

As  a  simple  example  of  mixing  admissibility  and  derivability,  we  consider  the  syntax  of  a  pro¬ 
gramming  language  with  primitives  specified  by  arbitrary  meta-language  functions.  In  particu¬ 
lar,  we  consider  arithmetic  expressions  constructed  out  of  (1)  variables,  (2)  numeric  constants, 
(3)  let  binding,  and  (4)  arbitrary  binary  primitive  operations,  represented  by  functions  of  type 
nat  D  nat  D  nat. 

In  a  concrete  syntax,  we  might  specify  a  signature  for  this  datatype  as  follows: 

num  :  arith  nat 

letbind  :  arith  arith  0  (arith  =>•  arith) 

binop  :  arith  •<=  arith  0  (nat  D  nat  D  nat)  0  arith 

Recall  that  the  symbol  <t=  is  used  for  datatype  constructors,  or  rules.  We  use  (derivability)  to 
represent  the  body  of  the  letbind,  and  D  (admissibility)  to  represent  the  primops.  In  Agda,  this 
signature  is  rendered  as  constructors  for  the  datatype  InS: 

zero  :  InS  (natA  <t=‘l) 
succ  :  InS  (natA  4=  nat) 

num  :  InS  (arithA  nat) 

letbind  :  InS  (arithA  4=  arith  0  (arithC  =>•  arith)) 

binop  :  InS  (arithA  arith  0  (nat  D  nat  D  nat)  0  arith) 

Next,  we  define  an  evaluation  function  that  reduces  an  expression  to  a  number: 

eval  :  □  (arith  D  nat) 
eval  (num  •  n) 
eval  (letbind  •  (el. e2)) 
eval  (binop  ■  (el.  f,  e2)) 

eval  (>  ()) 

Evaluation  maps  closed  arithmetic  expressions  to  natural  numbers  (the  type  □  (arith  D  nat) 
reduces  to  the  Agda  function  type  Data  []  arithA  ->  Data  []  natA).  Constants  evaluate  to  them¬ 
selves;  binops  are  evaluated  by  applying  their  code  to  the  values  of  the  arguments;  let-binding 
is  evaluated  by  substituting  the  expression  el  into  the  letbind’s  body  e^Jand  then  evaluating  the 
result.  A  simple  variation  would  be  to  evaluate  el  first  and  then  substitute  its  value  into  e2.  The 
final  clause  covers  the  case  for  variables  with  a  refutation  pattern:  there  are  no  variables  in  the 
empty  context. 

'The  arith  argument  to  subst  is  the  type  A  in  the  D  =>  A  argument  to  substitution;  Agda’s  type  reconstruction 
procedure  requires  this  annotation.  The  underscore  is  the  context  argument  instantiating  the  in  the  type  of  subst; 
this  could  be  eliminated  by  adding  an  implicit  context  quantifier  (whose  meaning  is  {  T  :  Vars}  ->  ...)  to  the 
universe.  The  credentials  for  performing  substitution  are  marked  as  an  implicit  argument,  so  there  is  no  evidence  of 
it  visible  in  the  call  to  subst. 


=  n 

=  eval  (subst  arith  _  e2  el) 
=  f (eval  el)  (eval  e2) 
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Comparison.  This  example  provides  a  nice  illustration  of  the  benefits  of  our  approach:  Sub¬ 
stitution  is  provided  “for  free”  by  the  framework,  which  infers  that  it  is  permissible  to  substitute 
for  arithC  variables  in  arith — this  improves  on  implementing  the  example  in  raw  Agda,  where 
substitution  would  need  to  be  implemented  by  hand.  The  type  system  enforces  the  invariant  that 
evaluation  produces  a  closed  natural  number. 

It  is  not  possible  to  define  the  type  arith  in  Twelf/Delphin/Beluga,  as  LF  representations 
cannot  use  computational  functions.  One  could  program  this  example  in  FreshML,  but  it  would 
be  necessary  to  implement  substitution  directly  for  arith,  as  FreshML  does  not  provide  a  generic 
substitution  operation. 

Agda  checks  that  eval’s  pattern  matching  is  exhaustive.  However,  Agda  is  not  able  to  verify 
the  termination  of  this  function  (even  setting  aside  the  positivity  problems — which  are  not  really 
problematic  here,  as  nat  is  morally  defined  prior  to  arith,  so  the  definition  is  iterated),  as  it  recurs 
on  a  substitution-instance  of  one  of  the  inputs.  Setting  aside  the  computational  functions  in  binop, 
it  would  be  possible  to  get  the  call-by-value  version  of  this  code  to  pass  Twelf’s  termination 
checker,  which  recognizes  certain  substitution  instances  as  smaller.  We  have  not  yet  investigated 
how  to  explain  this  induction  principle  to  Agda. 

5.2.2  Reduction 

Next,  we  implement  small-step  reduction  for  the  A-calculus.  This  example  illustrates  recur¬ 
sion  over  open  terms,  as  well  as  additional  uses  of  the  structural  properties  provided  by  our 
framework.  We  represent  the  A-calculus  with  the  following  signature,  which  is  familiar  from 
higher-order  abstract  syntax: 

lam  :  InS  (expA  4=  expC  =>■  exp) 
app  :  InS  (expA  4=  exp  ®  exp) 

Next,  we  define  a  function  red  implementing  small-step  reduction.  As  a  first  cut,  we  might 
try  assigning  red  the  type  □  (exp  Z>  exp  ®‘l),  which  is  interpreted  as  Data  []  exp  -> 
Either  (Data  []  exp)  Unit.  That  is,  red  e  returns  an  option,  with  Ini  e’  signaling  that  e  steps 
to  e’,  and  Inr  <>  signaling  that  e  cannot  be  reduced  further.  However,  because  reduction  pro¬ 
ceeds  under  binders,  it  is  necessary  to  generalize  red  so  that  it  works  on  open  terms.  Thus,  we 
instead  give  it  the  type 

red  :  exp  D  exp  ©T 

which  works  in  any  context.  This  type  is  interpreted  as 

(\D  :  Ctx)  -»  Data  exp  -»  Either  (Data  T  exp)  Unit 


red  is  implemented  as  follows: 
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red  T  (>  x)  =  Inr  <> 

red  T  (app  •  (lam  •  e,  e2))  =  Ini  (subst  exp  'I'  e  e2) 


red  T 

(app  • 

■  (el.e2))  with  red  T  el 

red  T  e2 

Ini  el' 

= 

Ini 

(app  • 

(el’,e2)) 

Inr  <>  | 

Ini  e2’  = 

Ini 

(app  • 

(el.  e2’)) 

Inr  <> 

Inr  <>  = 

Inr 

<> 

red  T 

(lam  • 

e)  with  red  (expC  ::  T)  e 

Ini  e’  =  Ini  (lam 

•  e’) 

Inr  <>  =  Inr  <> 


The  variable  case  (>  x)  says  that  variables  do  not  reduce.  The  second  line  reduces  a  T-rcdcx 
using  substitution;  the  fact  that  subst  is  available  for  exp  is  inferred  by  our  framework.  For  any 
other  application,  we  try  reducing  the  function  position.  If  this  succeeds,  we  have  a  reduction; 
otherwise,  we  try  reducing  the  argument  position.  For  a  lam,  we  try  reducing  the  body,  which  is 
an  example  of  making  a  recursive  call  in  an  extended  context  expC  ::  T,  which  extends  T  with 
an  additional  assumption  of  type  exp. 

Comparison.  If  a  programmer  were  to  implement  this  example  in  raw  Agda,  the  signature 
would  be  more  verbose,  as  it  would  need  to  mention  contexts  explicitly,  and  he  would  have  to 
implement  subst  by  hand.  In  Twelf,  reduction  would  be  written  as  a  logic  program,  so  the  failure 
cases  would  not  need  to  be  described  explicitly.  In  Twelf  and  Delphin,  the  context  is  managed 
implicitly,  so  the  T  arguments  would  be  elided.  In  Beluga,  the  code  would  look  quite  similar  to 
the  above. 


5.2.3  Type  checking 


Next,  we  implement  a  type  checker  for  the  simply-typed  A-calculus.  The  function  red  above 
worked  for  any  context  T.  because  the  variable  case  simply  returned  a  constant.  In  contrast,  to 
implement  a  type  checker,  we  need  to  maintain  extra  information  about  the  context,  associating 
a  type  with  each  term  variable.  To  maintain  this  information,  we  use  a  function  whose  domain 


is  the  variables  of  a  given  type,  a  technique  inspired  by  Delphin  (Poswolsky  and  Schiirmann 


2008). 


We  represent  the  STLC  with  the  following  signature: 


arr  :  InS  (tpA  •<=  tp  ®  tp) 
unit  :  InS  (tpA  4=‘l) 

fn  :  InS  (tmA  -<=  □  tp  ®  (tmC  tm)) 
ap  :  InS  (tmA  •<=  tm  ®  tm) 
mt  :  InS  (tmA  -<=‘l) 


For  simplicity,  we  make  the  fact  that  all  types  are  closed  explicit,  using  a  □  in  the  type  of  the 
constant  fn  to  say  that  the  type  annotation  is  closed.  This  saves  us  from  having  to  weaken  and 
strengthen  term  variables  in  types  (see  size  below). 

To  implement  the  type  checker,  we  first  need  equality  of  types,  which  is  implemented  by  a 
simple  recursion  over  closed  types: 


92 


CHAPTER  5.  AN  EMBEDDED  LOGIC AE  FRAMEWORK 


eqtp  :  □  (tp  Z>  tp  D  bool) 

Next,  we  define  an  environment  to  be  a  function  that  gives  a  closed  type  for  each  term  vari¬ 
able;  recall  that  the  type  tmC  #  means  the  variables  of  type  tm: 

env  :  Type 

env  =  tmC  #  D  □  tp 

Type  synthesis  takes  a  term  and  an  environment  and  optionally  returns  a  closed  type: 
synth  :  (V^  tm  D  env  D  (□  tp)  ®‘l) 

It  is  implemented  as  follows: 
synth  T  (>  x)  env  =  Ini  (env  x) 

synth  T  (fn  •  (A.  e))  env  with  synth  (tmC  ::  'k)  e  (extend  {□  tp}  {tmC}  'k  env  A) 

|  Ini  B  =  Ini  (arr-  (A,  B)) 

|  Inr  <>  =  Inr  <> 

synth  'k  (ap  •  (el,e2))  env  with  synth  T  el  env  |  synth  'k  e2  env 

|  Ini  (arr  ■  (Al,  A2))  |  Ini  B1  with  eqtp  A1  B1 

|  Ini  <>  =  Ini  A2 
|  Inr  <>  =  Inr  <> 

synth  'k  (ap  •  (el,e2))  env  j  _  |  _  =  Inr  <> 

synth  T  (mt  •  <>)  env  =  Ini  (unit  ■  _) 

A  variable  has  the  type  given  in  the  environment;  the  framework  already  ensures  well-scopedness, 
so  there  is  no  possibility  of  getting  a  variable  out  of  scope.  The  clause  for  ap  check  the  function 
and  argument  positions  and  then  check  that  the  domain  of  the  function  is  the  type  of  the  argu¬ 
ment.  The  case  for  fn  is  interesting  because  it  must  extend  the  environment  env  by  mapping  the 
last  variable  mapped  to  the  type  A.  We  do  this  using  the  function  extend: 

extend  :  V  (A  D}  (V^  (D  #  D  A)  D  A  D  (D  =>  D  #)  D  A) 

extend  T  a  new  iO  =  new 
extend  T  a  new  (iS  i)  =  a  i 

If  we  had  made  a  mistake  and  forgotten  to  extend  the  environment,  the  Agda  type  checker  would 
helpfully  complain  that  (tmC  ::  'k)  !=  T. 

Comparison.  We  have  included  this  example  mainly  to  introduce  the  environment  technique; 
it  would  not  be  very  different  in  raw  Agda,  as  we  have  not  made  use  of  any  of  the  structural 
properties.  In  Twelf,  the  failure  cases  could  be  elided,  unification  could  be  used  for  type  equality, 
and  the  LF  context  could  be  used  to  represent  the  environment  implicitly.  In  Delphin,  the  context 
'k  would  be  implicit,  but  the  environment  would  be  passed  explicitly.  In  Beluga,  the  LF  context 
could  be  used  to  associate  variables  with  types,  but  it  is  passed  explicitly. 
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5.2.4  Closure-based  Evaluator 

Next,  we  implement  a  closure -based  evaluator  for  the  untyped  A-calculus.  Like  the  type  checker 
above,  this  example  illustrates  the  use  of  functions  to  maintain  invariants  about  the  context; 
additionally,  it  shows  how  to  use  existential  quantification  over  contexts.  We  gave  the  signature 
for  A-terms  above;  closures  are  represented  by  a  type  clos  as  follows: 

closure  :  InE  (closA  4=  (3=>-  (expC  =>  exp)  (8)  (expC  f  D  □  clos))) 

The  type  of  closures,  clos,  is  a  recursive  type  with  one  constructor  closure.  The  premise  of 
closure  should  be  read  as  follows:  a  closure  is  constructed  from  a  triple  (T,  e,  a),  where  (1)  'k  is 
an  existentially  quantified  context;  (2)  e  is  an  expression  in  \k  with  an  extra  free  variable,  which 
represents  the  body  of  a  A-abstraction;  and  (3)  a  is  a  substitution  of  closed  closures  for  all  the 
variables  in  \k.  We  represent  a  substitution  as  a  function  that  maps  each  expression  variable  in  the 
context  (classified  by  the  type  expC  #)  to  a  closure.  The  type  of  the  premise  provides  a  succinct 
description  of  all  of  this:  3=>-  introduces  the  variables  in  the  existentially  quantified  context  into 
scope  without  explicitly  naming  the  context;  =>■  extends  the  context  with  an  additional  variable; 
(expC  #)  ranges  over  all  of  the  variables  in  scope.  For  comparison,  in  \k  this  type  reduces  to  the 
Agda  type 

E  (A  ('k'  :  Vars)  -»  (Data  ('k  +  T’^expC)  expA)  x  (expC  e  ('k  +  'k')  ->  Data  []  closA)) 
(where  we  write  , ,  for  cons  on  the  right). 

As  in  the  type  checker  example  we  recur  over  open  expressions,  so  eval  is  quantified  over  an 
unknown  context  'k  using  V=^.  Evaluation  takes  two  further  arguments:  (1)  an  expression  with 
free  variables  in  'k,  and  (2)  an  environment,  represented  by  a  function  that  yields  a  closed  closure 
for  each  expression  variable  in  'k;  eval  returns  a  closed  closure. 

env  :  Type 

env  =  expC  |  D  □  clos 

eval  :  □  (V=>  exp  D  env  D  □  clos) 
eval  \k  (>  x)  a  =  ax 
eval  'k  (lam  •  e)  a  —  closure  •  (\k,e,cr) 
eval  T  (app  ■  (el,  e2))  a 

with  eval  T  el  a 

...  |  closure  •  (\k’,  e’,  a')  =  eval  ('k', ,  expC)  e’  (extend  {(□  clos) }_  a'  (eval  'k  e2  a)) 

...  j  >  x  =  impossible  x 

A  variable  is  evaluated  by  applying  the  substitution.  A  lam  evaluates  to  the  obvious  closure.  To 
evaluate  an  application,  we  first  evaluate  the  function  position.  Case- analyzing  the  evaluation 
of  el  gives  two  cases:  (1)  the  value  is  constructed  by  the  constructor  closure;  (2)  the  value  is  a 
variable. 

In  the  first  case,  we  evaluate  the  body  of  the  closure  in  an  extended  environment.  The  call  to 
the  function  extend,  described  in  the  type  checker  example  above,  extends  the  environment  a’  so 
that  the  last  variable  is  mapped  to  the  value  of  e2.  At  the  call  site  of  extend,  we  must  explicitly 
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supply  the  type  A  (in  this  case  □  clos)  to  help  out  type  reconstruction.  The  underscore  stands 
for  the  instantiation  of  the  V^,  which  is  marked  as  an  explicit  argument,  but  can  in  this  case  be 
inferred. 

The  second  case  is  contradicted  using  the  function  impossible,  which  refutes  the  existence  of 
a  variable  at  a  non-VarType — which  clos  is,  because  we  never  wish  to  have  clos  variables. 

The  context  argument  'P  to  eval  does  not  play  an  interesting  role  in  the  code,  but  Agda’s  type 
reconstruction  requires  us  to  supply  it  explicitly  at  each  recursive  call.  Agda  is  unable  to  verify 
the  termination  of  this  evaluator  for  the  untyped  A-calculus,  as  one  would  hope. 

When  writing  this  code,  one  mistake  a  programmer  might  make  is  to  evaluate  the  body  of 
the  closure  in  a  instead  of  ex’,  which  would  give  dynamic  scope  instead  of  static  scope.  If  we 
make  this  mistake,  Agda  highlights  the  occurrence  of  a  and  helpfully  reports  the  type  error 
that  T '  !  =  T,  indicating  that  the  context  of  the  expression  does  not  match  the  context  of  the 

substitution. 


Comparison.  In  Twelf,  one  cannot  represent  substitutions  a  using  admissibility  functions,  be¬ 
cause  these  are  not  available  for  use  in  LF  encodings.  However,  because  the  domain  of  the 
substitution  is  finite,  a  first-order  representation  of  substitutions  could  be  used.  Additionally, 
Twelf  does  not  provide  the  □  and  3=>-  connectives  that  we  use  here  to  describe  the  contexts 
of  closures.  While  it  should  be  possible  for  the  programmer  to  express  the  necessary  context 
invariants  using  explicit  contexts  (|Crary ,  2008),  this  is  a  fairly  heavy  encoding  technique.  Be¬ 
cause  of  these  two  limitations,  the  resulting  Twelf  code  would  be  more  complicated  than  the 
above.  One  would  hope  for  better  Delphin  and  Beluga  implementations  than  a  port  of  the  Twelf 
code,  but  Delphin  lacks  existential  context  quantification  and  □,  and  Beluga  lacks  the  parameter 
type  exp  #,  so  our  definition  of  clos  cannot  be  straightforwardly  ported  to  either  of  these  lan¬ 
guages.  Beluga  provides  a  built-in  type  of  substitutions,  written  [T’J'F,  so  one  might  hope  to 
represent  closures  as  :  exp]exp)  x  [,]L;  however,  the  second  component  of  this  pair 

associates  an  expression  with  each  expression  variable  in  i/j,  whereas,  in  this  example,  we  need 
to  associate  a  closure  with  each  expression  variable  in  if).  One  could  implement  this  example  in 
FreshML  ([Shin well  et  al., [2003),  but  the  type  system  would  not  enforce  the  invariant  that  clo¬ 
sures  are  in  fact  closed.  To  our  knowledge,  a  proof  of  this  property  for  this  example  has  not  been 
attempted  in  Pure  FreshML  (Pother}  2007 ),  though  we  know  of  no  reason  why  it  would  not  be 
possible.  The  only  improvement  over  raw  Agda  in  this  case  is  that  the  types  are  more  concise 
when  specified  in  our  point-free  notation. 


5.2.5  Variable  Manipulation 

Next,  we  consider  some  common  examples  that  involve  manipulation  of  variables.  None  of  these 
examples  are  very  different  than  what  one  would  write  in  raw  Agda;  instead,  we  show  them  to 
illustrate  how  dependent  de  Bruijn  indices  compare  with  other  representations  of  variables. 

Size 

First,  we  compute  the  size  of  a  A-term.  Addition  is  defined  as  usual,  with  a  contradictory  variable 
case  because  no  natA  variables  are  allowed. 
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plus  :  □  (nat  D  nat  D  nat) 

plus  (zero  ■  _)  m  =  m 

plus  (succ  •  n)  m  =  succ  •  (plus  n  m) 

plus  (>  ())  _ 

size  :  (V^  exp  D  □  nat) 

size  \1>  (>  x)  =  succ  ■  (zero  ■  _) 

size T  (app  •  (el.e2))  =  succ  •  (plus  (size  T  el)  (size T  e2)) 

size T  (lam  •  e)  =  succ  •  (size  ('5, ,  expC)  e) 

Agda  successfully  termination-checks  these  functions. 

The  type  of  size  expresses  that  it  returns  a  closed  natural  number.  For  comparison,  we  imple¬ 
ment  a  second  version  that  does  not  make  this  invariant  explicit: 

size’  :  □  (V^  expC  (exp  D  nat)) 
size’  T  bound  (>  x)  =  succ  ■  (zero  ■  _) 
size’  T  bound  (app  •  (el,e2))  = 

succ  ■  (plus’  T  bound  (size’  T  bound  el)  (size’  T  bound  e2))  where 
plus’  :  □  (V^  expC  (nat  D  nat  D  nat)) 

plus’  $  b  =  weaken*/bounded  (nat  D  nat  D  nat)  T  {expC}  b  []  plus 
size’  T  bound  (lam  •  e)  =  strengthen  nat  _  (size’  (T^expC)  bound  e) 


Without  the  □,  size  must  return  a  number  in  context  T:  in  the  application  case,  we  must  weaken 
plus  into  T.  and  in  the  lam  case  we  must  strengthen  the  extra  expC  variable  out  of  the  recursive 
call.  Strengthening  expression  variables  from  natural  numbers  is  permitted  by  our  implementa¬ 
tion  of  the  structural  properties  because  natural  numbers  cannot  mention  expressions;  we  use  a 
subordination-like  analysis  to  determine  this  ( Yirga  1999 ).  To  ensure  that  these  weakenings  and 
strengthenings  are  permitted,  we  type  size’  with  a  bounded  quantifier  over  exp. 

Comparison.  The  first  version  is  similar  to  what  one  writes  in  FreshML,  except  in  that 
setting  there  is  no  need  to  pass  around  a  context  T.  In  the  second  version,  the  strengthening  of 
the  recursive  result  in  the  lam  case  is  analogous  to  the  need,  in  FreshML  2000  (Pitts  and  Gabbay, 


2000),  to  observe  that  nat  is  pure  (always  has  empty  support);  FreshML  (Shinwell  et  al.,  2003) 


does  not  require  this. 

In  Beluga,  one  can  express  either  the  first  or  second  versions.  In  Twelf  and  Delphin,  one 
can  only  express  the  second  variation,  as  these  languages  do  not  provide  □.  However,  the 
Twelf/Delphin/Beluga  syntax  for  weakening  and  strengthening  is  terser  than  what  we  have  been 
able  to  construct  in  Agda:  weakening  is  not  marked  in  the  proof  term;  strengthening  is  marked 
by  pattern-matching  the  result  of  the  recursive  call  and  marking  those  variables  that  do  occur, 
which  in  this  case  does  not  include  the  expression  variable.  For  example,  the  lam  case  of  size  in 
Twelf  looks  like  this: 


-  :  size  (lam  ( [x]  Ex))  (succ  N) 

<—  ({x  :  exp}  size  (E  x)  N)  o 

Twelf’s  coverage  checker  verifies  that  expression  variables  can  be  strengthened  out  of  natural 
numbers  when  checking  this  case. 
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Counting  occurrences  of  a  variable 


A  simple  variation  is  to  count  the  number  of  occurrences  of  a  distinguished  free  variable.  The 
input  to  this  function  has  type  (expC  =>■  exp),  and  we  count  the  occurrences  of  the  bound  variable: 


cnt  :  (expC  =>■  exp)  D  □  nat 

cnt  T  (>  iO)  =  succ  •  (zero  •  _) 

cnt  \k  (>  (iS  _))  =  zero  •  _ 

cnt  \k  (app  •  (el,e2))  =  plus  (cnt  T  el)  (cnt  T  e2) 

cnt  T  (lam  •  e)  =  cnt  (Tr, ,  expC)  (exchange2  exp  T  e) 


In  the  first  two  cases,  we  pattern-match  on  the  variable:  when  it  is  the  last  variable,  the  last 
variable  occurs  once;  when  it  is  not,  it  occurs  zero  times.  The  lam  case  recurs  on  the  exchange 
of  e,  so  that  the  last  variable  remains  the  one  we  are  looking  for.  Agda  fails  to  termination-check 
this  example  because  it  recurs  on  the  result  of  exchange. 

Comparison.  Pattern-matching  on  variables  is  represented  using  higher-order  metavariables 
in  Twelf/Delphin/Beluga  and  using  equality  tests  on  names  in  FreshML.  The  exchange  needed 
in  the  lam  case  is  written  as  a  substitution  in  the  Twelf/Delphin/Beluga  version  of  this  clause.  In 
Twelf  one  would  write: 


-  :  cnt  ( [x]  lam  ( [y ]  Exy))  N 

<—  ({y:exp}  cnt  ( [x]  E  x  y)  N)  o 

In  the  input  to  this  clause,  the  metavariable  E,  which  stands  for  the  body  of  the  function,  refers 
to  the  last  variable  in  the  context  (the  lam-bound  variable)  as  y  and  the  second-last  variable  (the 
variable  being  counted)  as  x.  In  the  recursive  call,  y  is  exchanged  past  the  binding  of  x,  so  the 
instantiation  Exy  swaps  “last”  and  “second-last”. 


Computing  free  variables 

Next,  we  consider  a  function  computing  the  free  variables  of  an  expression.  This  function  has  the 
following  type:  (V^  exp  D  list  (expC  #)) — in  any  context,  this  function  accepts  an  expression 
in  that  context  and  produces  a  list  of  variables  in  that  context.  This  typing  ensures  that  we  do  not 
accidentally  return  a  bound  variable. 

remove  :  {D  :  VarType} 

-  (V=»  (D  =*  list  (D  #))  D  list  (D  #)) 

remove  \k  []  =  [ 

remove  'k  (iO  ::  ns)  =  (remove  T  ns) 

remove  'k  ((iS  i)  ::  ns)  =  i  ::  (remove  \k  ns) 

fvs  :  (V^  exp  D  list  (expC  #)) 
fvs  \k  (>  x)  =  [x] 

fvs  'k  (lam  •  e)  =  remove  <k  (fvs  (\k, ,  expC)  e) 
fvs  \k  (app  •  (el,e2))  =  append  (fvs  'k  el)  (fvs  T  e2) 

In  the  lam  case,  we  use  the  helper  function  remove  to  remove  the  lam-bound  variable  from  the 
recursive  result.  The  function  remove  takes  a  list  of  variables,  itself  with  a  distinguished  free 
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variable,  and  produces  a  list  of  variables  without  the  distinguished  variable.  If  the  programmer 
were  to  make  a  mistake  in  the  second  clause  by  accidentally  including  iO  in  the  result,  he  would 
get  a  type  error.  Agda  successfully  termination-checks  this  example. 

Comparison.  For  comparison  with  FreshML  (Shinwell  et  al.[|2003),  the  type  given  to  remove 
here  is  analogous  to  their  Figure  6: 


remove  :  (<name>  (name  list))  ->  name  list 


where  <a >r  is  a  nominal  abstractor.  The  authors  comment  that  they  prefer  the  version  of  remove 
in  their  Figure  5: 

remove  :  name  (name  list)  -*•  name  list 


where  the  name  to  removed  is  specified  by  the  first  argument,  rather  than  using  a  binder. 

Using  dependent  types,  we  can  type  this  second  version  of  remove  as  follows: 

remove  :  (T  :  Vars)  (i  :  exp  G  T) 

->  List  (exp  G  VF)  ->  List  (exp  G  ('F  -  i)) 

where  \F  -  i  removes  the  indicated  element  element  from  the  list.  This  type  is  of  course  express¬ 
ible  in  Agda,  but  not  in  the  simply-typed  universe  that  we  consider  in  this  chapter. 

In  Twelf,  this  example  can  be  coded  with  two  differences  from  the  above.  The  first  is  that 
remove  pattern-matches  on  derivability  functions,  rather  than  pattern-matching  to  distinguish 
different  variables  in  the  (extended)  context,  as  we  do  above: 


remove  :  (var  ->  list)  ->■  list  ->  type. 

-  :  remove  ([x]  cons  x  (L  x))  L’ 

<—  remove  L  L’. 

-  :  remove  ([x]  cons  Y  (L  x))  (cons  Y  L’) 

<—  remove  L  L’. 

-  :  remove  ( [x]  nil)  nil. 

Second,  to  enforce  the  invariant  that  the  output  list  contains  only  variables,  it  is  necessary  to 
modify  the  encoding  to  identify  variables.  One  option  is  to  use  a  separate  type  var  for  variables,  as 
we  have  done  here  (though  this  necessitates  a  manual  proof  that  an  expression  can  be  substituted 
for  a  variable);  another  is  to  define  a  predicate  isvar  E  which  holds  when  E  is  a  variable.  Without 
this  invariant,  remove  is  not  total,  though  it  could  be  extended  to  a  total  relation  by  adding  cases 
for  the  remaining  expressions. 

In  Delphin,  one  would  need  to  match  on  a  derivability  function,  as  Delphin  does  not  support 
matching  against  individual  free  variables,  but  the  #  type  could  be  used  to  define  a  list  of  vari¬ 
ables  (if  Delphin  were  extended  with  non-LF  inductive  types).  Complementarily,  in  Beluga,  one 
can  match  against  individual  variables  by  restricting  a  pattern  by  a  substitution,  but  the  encoding 
would  need  to  explicitly  provide  a  type  of  variables. 
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77-Contraction 

In  Twelf/Delphin/Beluga,  one  can  recognize  77-redices  by  writing  a  meta-variable  that  is  not 
applied  to  all  enclosing  locally  bound  variables.  E.g.  in  Twelf  one  would  write 

-  :  contract  (lam  [x]  app  F  x)  F. 

The  metavariable  F:exp  is  bound  outside  the  scope  of  x,  and  thus  stands  only  for  terms  that  do 
not  mention  x.  (To  allow  it  to  mention  x,  we  would  bind  F:exp  -»  exp  and  write  (F  x)  in  place 
of  F.) 

Unfortunately,  Agda  does  not  provide  this  sort  of  pattern  matching  for  our  encoding — pattern 
variables  are  always  in  the  scope  of  all  enclosing  local  binders — so  we  must  explicitly  call  a 
strengthening  function  that  checks  whether  the  variable  occurs: 

strengthen?  :  (expC  =>■  exp)  Z>  exp  option 

strengthen?  T  (>  jO)  =  Inr  _ 
strengthen?  T  (>  (jS  i))  =  Ini  (>  i) 

strengthen?  T  (app  •  (el,e2))  with  strengthen?  'k  el  |  strengthen?  T  e2 

|  Ini  el’  j  Ini  e2’  =  Ini  (app  •  (el’,  e2’)) 

j  _  |  _  =  Inr  _ 

strengthen?  T  (lam  •  e)  with  strengthen?  (\k, .  expC)  (exchange2  exp  T  e) 

j  Ini  e'  =  Ini  (lam  •  e’) 

|  _  =  Inr  _ 

contract-77  :  exP  D  exp  option 

contract-77  (lam  •  (aPP  •  (f,  >  iO)))  =  strengthen?  'k  f 

contract-77  VI;  -  =  Inr  <> 

We  conjecture  that  strengthen?  could  be  implemented  datatype-generically  for  all  purely 
positive  types  (no  D  or  Vc  or  VC~) — it  is  not  possible  to  decide  whether  a  variable  occurs  in  the 
values  of  these  function  types  (cf.  FreshML,  where  it  is  not  possible  to  decide  whether  a  name  is 
in  the  support  of  a  function).  This  strengthening  function  is  not  an  instance  of  the  generic  map 
that  we  define  below,  as  it  changes  the  type  of  the  term  (exp  to  exp  option);  though  there  may  be 
a  more  general  traversal  that  admits  this  operation. 

5.2.6  Combinators 

Another  place  where  the  strengthening  issue  discussed  with  size  above  comes  up  is  in  translations 
between  languages.  A  standard  example  is  translation  from  A-terms  to  combinators,  which  we 
represent  as  follows: 

comb/s  :  InE  (combA  4=T) 

comb/k  :  InE  (combA  -<=T) 

comb/i  :  InE  (combA  4=‘l) 

comb/app  :  InE  (combA  comb  g)  comb) 
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First,  we  define  bracket-abstraction,  which  takes  a  combinator  with  a  free  variable,  and  ab¬ 
stracts  over  it,  using  combinators  to  pass  the  value  of  the  variable  to  its  use  sites: 

bracket  :  ((combC  =>■  comb)  D  comb) 

bracket  'k  (>  iO)  =  comb/i  ■  <> 

bracket  \k  (>  (iS  x))  =  comb/app  ■  (comb/k  ■  <>,>  x) 

bracket  \k  (comb/i  •  <>)  =  comb/app  •  (comb/k  •  <>,  comb/i  ■  <>) 

bracket  \k  (comb/s  ■  <>)  =  comb/app  •  (comb/k  •  <>,  comb/s  •  <>) 

bracket  'k  (comb/k  ■  <>)  =  comb/app  ■  (comb/k  ■  <>,  comb/k  •  <>) 

bracket  'k  (comb/app  •  (al,a2))  = 

comb/app  ■  (comb/app  ■  (comb/s  •  <>,  bracket  'k  al),  bracket  T  a2) 

If  the  combinator  is  the  distinguished  last  variable  (iO),  then  the  result  is  the  I  combinator.  If  it 
is  any  other  variable,  the  result  is  the  constant  K  combinator  applied  to  that  variable.  Similarly, 
the  result  for  any  constant  among  I,  S,  and  K  is  K  applied  to  that  constant.  Application  bracket- 
abstracts  the  two  pieces  and  combines  them  with  S.  The  type  of  bracket  ensures  that  the  variable 
being  abstracted  is  not  free  in  the  result. 

The  translation  from  expressions  to  combinators  maintains  an  environment  mapping  each 
expression  variable  to  a  combinator  variable: 

combw  =  (expC  #  D  combC  #) 

extend-combenv  :  combw  D  (expC  =>•  combC  combw) 

extend-combenv  T  cr  (iS  iO)  =  iO 
extend-combenv  'k  a  (iS  (iS  i))  =  iS  (iS  (a  i)) 

The  function  extend-combenv  shows  how  to  extend  an  environment  in  \k  to  an  environment  in 
'k, ,  exp, ,  comb,  where  the  new  expression  variable  is  mapped  to  the  new  combinator  variable, 
and  all  other  results  are  shifted  so  that  they  make  sense  in  the  new  environment. 

The  translation  is  defined  as  follows: 

tr  :  (combw  D  exp  D  comb) 

tr  \k  a  (>  x)  =  >  (a  x) 

tr  'k  a  (app  •  (el.  e2))  =  comb/app  •  (tr  \k  cr  el,  tr  T  a  e2) 
tr  'k  cr  (lam  •  e)  = 

let 

r  :  <  'k, ,  expC, ,  combC  >  comb 

r  =  tr  ('k, ,  expC, ,  combC)  (extend-combenv  T  a)  (weaken  exp  ('k, ,  expC)  e) 

s  :  <  'k,,  combC  >  comb 
s  =  strengthen/anywhere  comb  (iS  iO)  r 

in 

bracket  T  s 

The  interesting  case  is  lam,  where  we  first  let  r  stand  for  the  result  of  a  recursive  call  in  an 
extended  context.  Prior  to  the  recursive  call,  we  must  weaken  e,  which  is  in  context  'k. ,  expC, 
with  the  new  combinator  variable,  r  is  then  a  combinator  in  context  'k, ,  expC, ,  combC.  Next,  we 
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can  strengthen  away  the  expC  assumption,  as  expressions  cannot  occur  in  combinators.  Finally, 
bracket  abstraction  gives  the  result. 

An  alternative  is  to  use  different  contexts  for  the  expression  and  the  combinator  term,  in 
which  case  no  weakening  and  strengthening  are  necessary: 

combw’  :  Vars  ->  Vars  ->  Type 

combw'  \k  \k’  =  ([T]  *  expC  #)  D  (['&']  *  combC  #) 

tr’  :  □  (Vc  (A  'k  ->■  Vc  (A  'k'  ->■  combw'  ([\k]  *  exp)  D  ([\k’j  *  comb)))) 

tr'  \k  \k’  a  (>  x)  =  >  (cr  x) 

tr’  \k  \k’  a  (app  •  (el.e2))  =  comb/app  ■  (tr'  T  \k’  a  el,tr’  T  \k’  a  e2) 

tr'  \k  \k’  a  (lam  •  e)  =  bracket  \k’  (tr’  ('k, ,  expC)  ('k', ,  combC)  newer  e)  where 

newer  :  □  (combw’  ('k^expC)  ('k', ,  combC)) 
newer  iO  =  iO 
newer  (iS  i)  =  (iS  (cr  i)) 


The  price  is  that  the  type  is  more  verbose,  because  the  context  can  no  longer  be  treated  implicitly. 

Comparison.  An  implementation  in  both  Twelf  and  Delphin  is  more  similar  to  tr  than  tr’,  in 
that  both  the  expression  and  the  combinator  term  exist  in  the  same  ambient  LF  context.  When 
writing  this  code  in  Twelf,  the  LF  context  can  be  used  to  represent  the  environment,  weakening 
is  tacit,  and  strengthening  is  represented  by  pattern-matching,  as  discussed  above.  In  Delphin, 
the  environment  is  represented  as  a  function,  as  we  have  done  here,  but  weakening  and  strength¬ 
ening  are  treated  as  in  Twelf.  In  Beluga,  one  can  implement  the  function  in  the  tr  style,  but  the 
environment  is  represented  in  the  LF  context,  and  weakening  and  strengthening  are  notated  using 
substitutions,  as  in  Twelf.  One  can  almost  write  the  type  of  the  tr’-style  implementation,  but  it 
is  unclear  how  to  represent  the  environment  (Pientka  (2006)  suggests  using  the  tr  style  instead). 
Relative  to  raw  Agda,  the  type  of  tr  is  more  concise  because  the  context  does  not  need  to  be 
mentioned  explicitly;  tr’  is  no  different. 


5.2.7  Normalization  by  Evaluation 

In  Figure  |5.3[  we  present  an  interesting  example  that  mixes  derivability  and  admissibility,  j3- 
normalization-by-evaluation  for  the  untyped  A-calculus.  Normalization-by-evaluation  (NBE)  is 
a  method  for  evaluating  A-terms  using  the  evaluator  of  the  meta-language,  rather  than  defining 
normalization  syntactically,  using  substitution.  The  idea  of  NBE  is  to  interpret  the  syntax  of 
an  object  language  into  the  meta-language,  interpreting  derivability  functions  in  the  syntax  as 
admissibility  functions  in  the  meta-language.  The  obvious  way  to  do  this  is  to  interpret  the 
object-language  type  A  arrow  B  as  the  meta-language  type  [  A  ]  ->•  [  B  ].  However,  with 
this  interpretation,  it  is  impossible  to  read  off  a  syntactic  normal  form,  because  functions  are 
interpreted  as  black-box  admissibility  functions.  The  solution  is  to  interpret  into  a  space  of 
meta-language  functions  that  can  be  applied  to  syntactic,  as  well  as  semantic,  arguments.  A 
syntactic  normal  form  can  then  be  read  off  by  applying  such  a  function  to  a  variable. 

For  the  untyped  A-calculus,  our  semantic  domain  sem  consists  of  syntactic  neutral  terms  of 
the  form  x  el  ...  en  as  well  as  admissibility  functions  from  sem  D  sem.  However,  in  imple¬ 
menting  NBE,  it  is  necessary  to  weaken  values  of  type  sem  into  bigger  contexts,  and  the  type 
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napp  :  InS  (neuA  4=  neu  (8)  sem) 

neut  :  InE  (semA  4=  neu) 

slam  :  InE  (semA  4=  (V^  neuC  (sem  D  sem))) 


reifyenv  :  Vars  ->  Vars  ->  Type 

reifyenv  'I'e  'I's  =  ([\l/s]  *  (neuC  ft)  D  [Te]  *  (expC  ft)) 

reifyn  :  VC  (A  'I'e  ->  Vc  (A  'I's  ->  reifyenv  'I'e  'I's  D  [\l/s]  *  neu  D  [Te]  *  exp)) 
reifyn  Te  \l/s  a  (>  x)  =  >  (a  x) 
reifyn  Te  \l/s  a  (napp  •  (n.s))  = 

app  ■  (reifyn  Te  \l/s  a  n,  reify  'I'e  'I's  a  s) 

reify  :  VC  (A  'I'e  ->  (Vc  Afs  ->  reifyenv  Te  'I's  D  [ 'I's]  *  sem  D  ['I'e]  *  exp)) 
reify  'I'e  'I's  a  (slam  •  p)  = 

lam  •  reify  ('I'e, ,  expC)  ('I's, ,  neuC)  a'  (p  [neuC]  _  (neut  •  (>  iO)))  where 
ex’  :  □  (reifyenv  ('I'e, ,  expC)  ('I's, ,  neuC)) 
a'  iO  =  iO 
ex’  (iS  x)  =  iS  (cx  x) 

reify  'I'e  'I's  a  (neut  •  n)  =  reifyn  'I'e  'I's  a  n 
reify  'I'e  Ts  a  (>  x)  =  impossible  x 


appsem  :  V^  sem  D  sem  D  sem 

appsem  _  (slam  •  p)  s2  =  <P  []  -s2 

appsem  _  (neut  •  n)  s2  =  neut  •  (napp  •  (n,s2)) 

appsem  _(>x)_  =  impossible  x 

evalenv  :  Vars  ->  Vars  ->  Type 

evalenv  Te  'I's  =  ['I'e]  *  (expC  ft)  D  (['I's]  *  sem) 

eval  :  VC  (A  'I'e  ->  Vc  (\\l/s  ->  evalenv  Te  'I's  D  [ 'I' e ]  *  exp  D  ['I's]  *  sem)) 
eval  H/e  IE's  a  (>  x)  =  a  x 

eval  Te  'I's  a  (app  •  (el,  e2))  =  appsem  'I's  (eval  Te  Ts  a  el)  (eval  Te  'I's  a  e2) 
eval  Te  'I's  a  (lam  •  e)  =  slam  •  <p>  where 
(p  :  <  \l/s  >  (V^  neuC  (sem  D  sem)) 
p  H/’  ctxinv  s’  =  eval  ('I'e, ,  expC)  ('I's  +  HV)  a  e  where 
a’  :  <[]>  evalenv  ('I'e, ,  expC)  ('I's  + 'I'’) 
a’  iO  =  s’ 

a'  (iS  i)  =  weaken*/bounded  sem  'I'’  {neuC}  ctxinv  'I's  (a  i) 


Figure  5.3:  Normalization  by  evaluation 
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sem  D  sem  is  not  weakenable  with  variables  of  type  sem.  The  solution  is  to  consider  admissibil¬ 
ity  functions  that  explicitly  quantify  over  all  future  extensions  of  the  context,  which  we  represent 
with  the  type  (V=>-  sem  D  sem).  This  is  similar  to  a  Kripke  semantics,  or  an  interpretation  into 
presheaves.  However,  for  the  argument  to  go  through,  we  must  ensure  that  the  context  extension 
'k’  consists  only  of  variables  of  a  specific  type  neu,  so  we  use  a  bounded  context  quantifier  below. 

We  represent  the  semantics  by  the  datatypes  neu  and  sem  in  Figurc[5JplThc  type  neu  (neutral 
terms)  consists  of  variables  or  neutral  terms  applied  to  semantic  arguments  (napp);  these  are  the 
standard  neutral  proofs  in  natural  deduction.  A  sem  (semantic  term)  is  either  a  neutral  term  or 
a  semantic  function.  A  semantic  function  of  type  (V^  neuC  (sem  D  sem))  is  an  admissibility 
function  that  works  in  any  extension  of  the  context  consisting  entirely  of  neutral  variables. 

We  define  reification  first,  via  two  mutually  recursive  functions,  reifyn  (for  neutral  terms)  and 
reify  (for  semantic  terms).  It  is  typical  in  logical  relations  arguments  to  use  two  independent 
contexts,  one  for  the  syntax  and  one  for  the  semantics.  Thus,  we  parametrize  these  functions  by 
two  contexts,  one  consisting  for  neu  variables  for  the  semantics,  and  the  other  consisting  of  exp 
variables  for  the  syntax.  We  will  write  'ks  for  the  former  and  \ke  for  the  latter.  The  type  of  reify 
then  says  that,  given  an  environment  mapping  neutral  variables  in  Ts  to  expression  variables  in 
Te,  reify  maps  semantics  in  the  semantic  context  to  expressions  in  the  expression  context 

Even  though  reify  is  given  a  precise  type  describing  the  scoping  of  variables,  its  code  is  as 
simple  as  one  could  want.  To  reify  neutral  terms:  The  reification  of  a  variable  is  the  variable 
given  in  the  substitution.  The  reification  of  an  application  is  the  application  of  the  reifications. 
To  reify  semantic  terms:  The  reification  of  a  function  (slam  •  ip)  is  the  A-abstraction  of  the 
reification  of  an  instance  of  >p.  In  the  recursive  call,  the  expression  context  is  extended  with  a 
new  exp  variable  (which  is  bound  by  the  lam)  and  the  semantic  context  is  extended  with  a  new 
neu  variable.  We  instantiate  the  semantic  function  (p ,  which  anticipates  extensions  of  the  context, 
with  this  one-variable  extension  ([x]  constructs  a  singleton  list),  and  apply  it  to  the  variable,  a' 
makes  the  "parallel"  extension  of  cr,  mapping  the  one  new  variable  to  the  other.  This  could 
be  abstracted  into  a  library  function  if  one  wished.  The  neutral-to-semantic  coercion  is  reified 
recursively,  and  we  disallow  sem  variables  from  the  context. 

To  define  evaluation,  we  first  define  an  auxiliary  function  appsem  that  applies  one  semantic 
term  to  another.  This  requires  a  case-analysis  of  the  function  term:  when  it  is  an  slam  (i.e. 
the  application  is  a  T-rcdcx),  we  apply  the  embedded  computational  function,  choosing  the  nil 
context  extension,  and  letting  the  argument  be  s2.  When  the  function  term  is  neutral,  we  make  a 
longer  neutral  term. 

The  type  of  eval  is  symmetric  to  reify,  except  the  environment  that  we  carry  along  in  the 
induction  maps  expression  variables  to  semantic  terms  rather  than  just  variables.  A  variable  is 
evaluated  by  looking  it  up;  an  application  is  evaluated  by  combining  the  recursive  results  with 
semantic  application.  A  lam  is  evaluated  to  an  slam  whose  body  p  has  the  type  indicated  in  the 
figure.  When  given  a  context  extension  \k’  and  an  argument  s’  in  that  extension,  ip  evaluates  the 
original  body  e  in  an  extended  substitution.  The  new  substitution  a'  maps  the  A-bound  variable 


2In  a  previous  account  of  this  work  (Licata  and  Harper  2009  i,  we  wrote  the  types  in  this  example  in  a  more 
concise,  but  also  less  intuitive,  way:  One  can  choose  to  use  the  ambient  context  as  either  the  syntactic  or  semantic 
context,  rather  than  mentioning  both  explicitly.  However,  the  choice  is  arbitrary,  and  the  asymmetry  makes  the  code 
hard  to  read.  Additionally,  one  can  abstract  out  the  definitions  of  the  environment  types  and  environment  extension, 
but  we  inline  these  definitions  here  for  simplicity. 
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iO  to  the  provided  semantic  value,  and  defers  to  a  on  all  other  variables.  However,  a  provides 
values  in  'Fs,  which  must  be  weakened  into  the  extension  T’.  Fortunately,  the  bounded  quantifier 
provides  sufficient  evidence  to  show  that  weakening  can  be  performed  in  this  case,  because  sem’s 
can  be  weakened  with  neu  variables. 

Normalization  is  defined  by  composing  evaluation  and  reification.  We  define  a  normalizer 
for  closed  A-terms  as  follows: 

emptyreifyenv  :  □  (reifyenv  []  []) 
emptyreifyenv  () 

emptyevalenv  :  □  (evalenv  []  []) 
emptyevalenv  () 

norm  :  □  (exp  D  exp) 

norm  e  =  reify  []  []  emptyreifyenv  (eval  []  []  emptyevalenv  e) 

Our  type  system  has  verified  the  scope-correctness  of  this  code,  proving  that  it  maps  closed 
terms  to  closed  terms.  Amusingly,  Agda  accepts  the  termination  of  this  evaluator  for  the  untyped 
A-calculus,  provided  that  we  have  told  it  to  ignore  its  issues  with  our  universe  itself — a  nice 
illustration  of  the  need  for  the  positivity  check  on  datatypes. 

As  with  the  combinator  example,  it  is  possible  to  give  an  alternate  version  of  this  code  where 
both  expressions  and  semantic  terms  live  in  the  same  context,  at  the  expense  of  various  ap¬ 
peals  to  weakening  and  strengthening  are  necessary.  For  comparison,  we  include  this  version 
in  Figure |5.4|  As  with  the  combinators  example,  the  binder  cases  require  weakening  before  the 
recursive  call,  and  strengthening  afterwards.  Additionally,  the  substitution  extension  o'  in  eval  is 
more  complicated,  as  it  must  handle  the  potential  additional  exp  variables  in  \F  ’ — which  do  not 
in  fact  exist,  as  'F’  is  made  up  of  only  neu  variables. 


Comparison.  The  type  sem  mixes  derivability  and  admissibility  in  an  essential  way:  it  must 
use  admissibility  to  inherit  evaluation  from  Agda,  and  it  must  use  derivability  to  make  it  possible 
to  read  off  a  normal  form.  The  premise  (V^  neuC  (sem  D  sem))  uses  both  =>  and  D  (recall  that 
there  is  a  =>■  buried  in  the  definition  of  V^).  Because  it  uses  D  in  a  recursive  datatype,  it  is  not 
representable  in  LF.  Because  it  uses  =>,  it  would  not  even  be  representable  in  Delphin/Beluga 
extended  with  standard  recursive  types  (that  did  not  interact  with  the  LF  part  of  the  language). 
Despite  the  fact  that  our  implementation  enforces  strong  invariants  about  the  scope  of  variables, 
the  code  is  essentially  as  simple  as  the  FreshML  version  described  by  Shinwell  et  al.  (2003), 
aside  from  the  need  to  pass  the  contexts  Te  and  Ts  along.  Invariants  about  variable  scoping 
can  be  proved  in  Pure  FreshML  (PottierJ  2007),  but  we  enforce  these  invariants  within  a  type 
system,  not  using  an  external  specification  logic.  Relative  to  a  direct  implementation  in  Agda 
(see  Pouillard  and  Pottier  (j2010j))  our  framework  provides  the  weakening  function  needed  in  the 
final  case  of  eval  for  free. 


5.3  Structural  Properties 

Next,  we  describe  our  implementation  of  the  structural  properties.  Like  the  theorem  prover  in 
Chapter  [4j  this  is  a  nice  example  of  using  a  dependently  typed  programming  language  as  its  own 
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reifyn  :  neu  D  (neuC  #  D  expC  #)  D  exp 

reifyn  \1/  (>  x)  a  =  >  (cr  x) 

reifyn  'F  (napp  •  (n,  s))  a  =  app  ■  (reifyn  'I'  n  cr,  reify  'F  s  cr) 

reify  :  sem  D  (neuC  #  D  expC  #)  D  exp 

reify  (slam  •  p)  a  = 

lam  ■  (strengthen/anywhere  exp  (iS  iO) 

(reify  ('!', ,  neuC, ,  expC) 

(weaken/irrel  sem  _  (p  [neuC]  _  (neut  •  (>  iO)))) 
cr'))  where 

cr’  :  <  vF, ,  neuC, ,  expC  >  (neuC  #  D  expC  #) 
cr'  (iS  iO)  =  iO 
cr'  (iS  (iS  x))  =  iS  (iS  (cr  x)) 
reify  vp  (neut  •  n)  cr  =  reifyn  'F  n  cr 
reify  *F  (>  x)  cr  =  impossible  x 


eval  :  exp  D  ((expC  #)  D  sem)  D  sem 

eval  \l>  (>  x)  cr  =  cr  x 

eval  vp  (app  •  (el,e2))  a  =  appsem  _  (eval  'F  el  cr)  (eval  ^  e2  cr) 
eval  (lam  •  e)  a  —  slam  •  p  where 
p  :  <  \ 1/  >  (V^  neuC  (sem  D  sem)) 

< p  4'’  bnd  s’  =  strengthen/middle  sem  4'’ 

(eval  ((\F, ,  expC)  +  4'”) 

(weaken*/bounded  exp  4'’  {neuC}  bnd  _  e) 
cr’)  where 

cr’  :  <  (\F, ,  expC)  +  4'’  >  (expC  #  D  sem) 
cr’  x  with  ListM.ln.splitappend  \F’  (\F, ,  expC)  x 
...  |  Ini  x’  =  Sums. abort  (ListM. In. in-all  _  bnd  x’) 

...  j  Inr  iO  =  weaken/irrel/middle  sem  \l/’  s’ 

...  |  Inr  (iS  x’)  =  weaken*/bounded  sem  4'’  {neuC}  bnd  _ 

(weaken/irrel  sem  _  (cr  x’)) 


Figure  5.4:  Normalization  by  evaluation  with  a  single  context 
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tactic  language. 

The  structural  properties  are  implemented  by  instantiating  a  generic  traversal  for  <  T  >  A. 
The  generic  traversal  has  the  following  type: 

map  :  (A  :  Type)  { T  T’  :  Vars}  ->  (Co  A  T  T’)  ->  <  T  >  A  ->  <  T’  >  A 

This  should  be  read  as  follows:  for  all  A,  T,  and  T’,  under  the  condition  Co  A  $  there  is  a 
map  from  terms  of  type  A  in  T  to  terms  of  type  A  in  T’. 

Co  :  Type  ->  Vars  ->  Vars  ->  Set  is  a  variable  relation ,  a  type-indexed  family  of 
relations  between  two  contexts.  Co  is  in  fact  a  (module-level)  parameter  to  the  generic  map;  it 
must  provide  (1)  a  variable  or  term  in  T’  for  each  variable  in  T  that  the  traversal  runs  into;  and 
(2)  enough  information  to  keep  the  traversal  going  inductively.  We  will  instantiate  Co  with  a 
specific  relation  for  each  traversal;  e.g.,  for  weakening  with  a  variable  of  type  D,  Co  will  relate 
T  to  (T. .  D)  under  appropriate  conditions  on  D  and  A. 

For  expository  purposes,  we  present  a  slightly  simplified  version  of  the  traversal  first;  the 
generalization  is  described  with  weakening  below. 


5.3.1  Compatibility 

We  ensure  that  Co  provides  the  two  pieces  of  information  mentioned  above  using  the  notion  of 
compatibility.  Suppose  that  Co  and  Contra  are  variable  relations.  We  say  that  Co  and  Contra  are 
compatible  iff  there  is  a  term 

compat  :  {A  :  Type}  (T  T’  :  Vars}  ->  Co  A  T  T’  ->  Com  pat  A  T  T’ 
where  Compat  is  defined  as  follows: 


Compat  :  Type  -»  Vars  ->  Vars  ->  Set 
Compat  (D  DM'  =  (D  e  T)  (D  e  vp’) 

Compat  (D+  D)  $  =  ({A  :  Type}  ->  (c  :  InS  (D  A))  ->  Co  A  f  T’) 

x  ({ch  :_}->(>  D  {ch})  G  T  ->  <  T’  >  D+  D) 
Compat  (A  D  B)  $  T  =  Contra  A  $  x  Co  B  $ 

Compat  (TO  =^*  A)'H'1  =  Co  A  ('b  +  TO)  (T’  +  TO) 

Compat  (list  A)  T  T’  =  Co  A  T  T’ 

Compat  (□  A)  T  T’  =  Unit 
Compat  (T)  T  T’  =  Unit 
Compat  (‘0)  T  T’  =  Unit 

Compat  (A®B)TT'  =  Co  A  T  T'  x  Co  B  T  T’ 

Compat  (A  ®  B)  T  T'  =  Co  A  T  T'  x  Co  B  T  T’ 

Compat  (Vc  r)  T  T’  =  (TO  :  _)  ->  Co  (r  TO)  T  T’ 

Compat  (V^  D  A)  T  T’  =  (TO  :  _)  ->  All Eq  TO  D  Co  A  (T  +  TO)  (T’  +  TO) 

Compat  (3c  r)  T  T'  =  (TO  :  _)  ->  Co  (r  TO)  T  T’ 

Compat  (3^  D  A)  T  T’  =  (TO  :  )  ->  All  Eq  TO  D  ->  Co  A  (T  +  TO)  (T’  +  TO) 

Compat  (V=f>  A)  T  T’  =  (TO  :  _)  ->  Co  A  (T  +  TO)  (T’  +  TO) 

Compat  (3=>-  A)  T  T’  =  (TO  :  _)  ->  Co  A  (T  +  TO)  (T’  +  TO) 

Compat  ([T]  *  A) _ =  Unit 
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Compat  imposes  certain  conditions  on  Co  and  Contra.  For  example,  for  variable  types  D  #, 
it  says  that  Co  (D  #)  T  T'  induces  a  map  from  variables  of  type  D  in  T  to  variables  in  T’. 
For  defined  atoms  D+  D,  Compat  says  that  Co  (D+  D)  T  ’  induces  a  map  from  variables  in 
T  to  terms  in  and  that  Co  A  T  T’  holds  for  every  premise  A  of  every  constant  inhabiting 
D.  In  all  other  cases,  Compat  provides  enough  information  to  keep  the  induction  going  in  map 
below.  This  amounts  to  insisting  that  Co  (or  Contra)  holds  on  the  subexpressions  of  a  type  in 
all  appropriate  contexts.  For  example,  the  condition  for  TO  =^*  A  is  that  Co  holds  for  A  in  the 
contexts  extended  with  TO.  As  mentioned  briefly  in  Section  5.1  V=>-  and  3=>-  and  j  \  *  are 

actually  built-in  types,  so  they  can  be  handled  specially  by  the  structural  property  tactics,  though 
their  semantics  is  the  same  as  if  they  were  derived  forms. 

In  the  usual  monadic  traversals  of  syntax  (Altenkirch  and  Reus  1999),  Co  \  T  T’  is  taken 
to  be  (D  :  VarType)  ->  D  G  T  ->  <T’>  D — i.e.  a  realization  of  every  variable 

in  T  as  a  term  in  T’.  In  our  setting,  this  does  not  suffice  to  define  a  traversal,  because  (1) 
it  does  not  provide  for  the  contravariant  flip  necessary  to  process  the  domains  of  admissibility 
functions  and  (2)  it  does  not  allow  us  to  express  a  conditional  traversal,  where  conditions  on  the 
types  ensure  that  the  traversal  will  only  find  certain  variables,  and  thus  that  only  those  variables 
need  realizations.  Compatibility  ensures  that  Co  provides  enough  information  for  Contra  to 
process  the  contravariant  positions  to  the  left  of  a  computational  arrow.  Additionally,  it  permits 
conditional  traversals:  below,  we  will  instantiate  Co  so  that  it  is  uninhabited  for  certain  A. 


5.3.2  Map 

Suppose  that  Co  and  Contra  are  compatible,  and  assume  a  function 

map’  :  (A  :  Type)  (T  T’  :  Vars}  (Contra  A  T  T')  ->  <T>A  ->  <T’>A 

that  is  the  equivalent  of  map  for  the  Contravariant  positions. 

Then  we  implement  map  in  Figure [53]  In  the  first  and  second  cases,  the  compatibility  of  Co 
induces  the  map  on  variables  that  we  need.  In  the  third  case,  we  pre-compose  the  function  with 
map’  and  post-compose  with  map.  In  all  other  cases,  map  simply  commutes  with  constructors, 
or  stops  early  if  it  hits  a  boxed  term. 

5.3.3  Exchange/Contraction 

Exchange  and  contraction  are  implemented  by  one  instantiation  of  map.  In  this  case,  we  take 

Co  A  T  T’  =  Contra  ATT’  =  (T  C  T’  x  T’  C  T) 

where  C  means  every  variable  in  one  context  is  in  the  other.  It  is  simple  to  show  that  these 
relations  are  compatible,  because  Co  (a)  provides  the  required  action  on  variables  directly  and  (b) 
ignores  its  type  argument,  so  the  compatibility  cases  for  the  type  constructors  are  easy.  Exchange 
is  defined  by  instantiating  the  generic  map  with  Co,  where  map’  is  taken  be  map  itself,  which 
works  because  Co  =  Contra. 
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map  :  (A  :  Type)  { T  T’  :  Vars}  ->  (Co  A  T  'I'’)  ->  <  T  >  A  ->  <  T’  >  A 
map  (D+  Dat)  co  (>  x)  =  (snd  (compat  co)  x) 
map  (Dat  cox  =  ((compat  co)  x) 

map  (A  D  B)  co  e  =  Ay  ->  (map  B  (snd  (compat  co))  (e  (map’  A  (fst  (compat  co))  y))) 
map  (TO  A)  co  e  =  map  A  (compat  co)  e 
map  (list  A)  co  []  =  [] 

map  (list  A)  co  (x  ::  xs)  =  map  A  (compat  co)  x  ::  map  (list  A)  co  xs 
map  (D+  Dat)  co  (_•_  {A}  c  e)  =  c  •  map  A  (fst  (compat  co)  c)  e 
map  (□  A)  co  e  =  e 
map  (‘1)  co  t  =  <> 
map  (‘0)  co  () 

map  (A  ®  B)  {T}  {T’}  co  (el,  e2)  =  (map  A  (fst  (compat  co))  el, 

map  B  (snd  (compat  co))  e2) 

map  (A  ©  B)  co  (Ini  el)  =  Ini  (map  A  (fst  (compat  co))  el) 

map  (A  ©  B)  co  (Inr  el)  =  Inr  (map  B  (snd  (compat  co))  el) 

map  (Vc  r)  co  e  =  A  TO  ->  map  (r  TO)  ((compat  co)  TO)  (e  TO) 

map  (V^  D  A)  co  e  =  A  TO  ev  ->  map  A  ((compat  co)  TO  ev)  (e  TO  ev) 

map  (3^  D  A)  co  (TO,  ev,  e)  =  (TO,  ev,  map  A  ((compat  co)  TO  ev)  e) 

map  (3c  r)  co  (TO,  e)  =  TO,  map  (r  TO)  ((compat  co)  TO)  e 

map  (V=»  A)  co  e  =  A  TO  ->  map  A  ((compat  co)  TO)  (e  TO) 

map  (3=^  A)  co  (TO,  e)  =  TO,  map  A  ((compat  co)  TO)  e 

map  ([T]  *  A)  co  e  =  e 


Figure  5.5:  Map 
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5.3.4  Strengthening 

Next,  we  define  a  traversal  that  strengthens  away  variables  that,  based  on  type  information,  can¬ 
not  possibly  occur.  The  invariant  for  strengthening  is  the  following  0 

Co  :  Type  — »  Vars  — »  Vars  — »  Set 

Co  A  T  T’  =  £  (A  (D  :  VarType)  -»•  £  (A  (i  :  D  e  tf) 

->■  Check  (irrel  (un>  D)  A)  x  Id  T’  (T  -  i))) 

Here  i,  a  pointer  into  the  initial  context  T  is  the  variable  to  be  strengthened  away;  the  proposi¬ 
tional  equality  constraint  represented  by  the  Identity  says  that  the  final  context  T’  is  the  initial 
context  with  i  removed.  The  type  Check  (irrel  (un>  D)  A)  computes  to  Unit  when  strengthening 
is  possible,  and  Void  when  it  is  not.  Here  un>  simply  peels  off  the  injection  of  a  defined  atom 
into  a  VarType. 

The  crucial  property  of  irrel  is  that  Check  (irrel  (un>  D)  (D+  D))  computes  to  Void.  This 
forbids  strengthening  a  variable  of  type  D  out  of  a  term  of  type  D.  This  is  necessary  because  we 
cannot  satisfy  the  usual  compatibility  condition  for  (D+  D),  which  would  require  mapping  all 
variables — including  the  variable-to-be- strengthened  i — to  a  term  of  type  D  that  does  not  mention 
i. 

More  generally,  Check  (irrel  (un>  D)  A)  means  that  variables  of  type  D  can  never  be  used  to 
construct  terms  of  type  A,  which  ensures  that  strengthening  never  runs  into  variables  of  the  type 
being  strengthened.  The  function  irrel  D  A  is  defined  by  traversing  the  graph  structure  of  types 
(i.e.,  it  unrolls  the  definitions  of  defined  atoms)  and  checks  ->  (DefinedAtoms.eq  D  Dat)  for  each 
defined  atom  Dat  it  finds. 

To  account  for  contravariance,  we  must  define  strengthening  simultaneously  with  weakening 
by  irrelevant  assumptions,  which  is  similar.  About  250  lines  of  Agda  code  shows  that  these  two 
relations  together  are  compatible.  Their  traversals  are  then  defined  by  instantiating  map  twice, 
mutually  recursively — each  is  passed  to  the  other  as  map’  for  the  contravariant  recursive  calls. 

5.3.5  Weakening 

In  addition  to  weakening  by  irrelevant  types  (e.g.  weakening  a  nat  with  an  exp),  we  can  weaken 
by  types  that  do  not  appear  to  the  left  of  a  computational  arrow  (e.g.,  weakening  an  exp  with  an 
exp). 

For  a  simple  version  of  weakening,  the  variable  relation  is  similar  to  strengthening,  but  uses 
a  different  computed  condition,  and  flips  the  role  of  'k  and  T’  (now  is  bigger): 

Co  :  Type  — »  Vars  — »  Vars  — »  Set 
Co  A  T  T’  =  £  A  (D  :  VarType)  -> 

£  A  (i  :  D  G  r)  -> 

Check  (canWeaken  (un>  D)  A)  x  Id  T  (W  -  i) 

The  function  canWeaken  is  a  different  graph  traversal  than  before:  we  check  irrel  (un>  D)  A 
for  the  left-hand  side  of  each  computational  arrow  A  D  B.  Weakening  can  then  be  defined 

3For  concision,  we  suppress  some  details  arising  from  the  implementation  of  irrel,  which  takes  a  visited  list  as 
an  extra  argument;  see  the  companion  code  for  details. 
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using  strengthening  in  contravariant  positions,  as  irrel  is  exactly  the  condition  that  strengthening 
requires. 

This  suffices  for  a  simple  version  of  weakening.  However,  we  can  be  more  clever,  and  ob¬ 
serve  that  types  of  the  form  V=>-  A  are  always  weakenable,  because  their  proofs  are  explicitly 
parametrized  over  arbitrary  extensions  of  the  context.  Similarly,  C  A  is  weakenable  with 
any  context  composed  entirely  of  C’s.  Capitalizing  on  this  observation  requires  a  slight  gener¬ 
alization  of  the  traversal  described  above:  computationally,  weakening  V=>-  A  does  not  recur¬ 
sively  traverse  the  proof  of  A,  like  map  usually  does,  but  stops  the  traversal  and  instantiates 
the  context  quantifier  appropriately.  Thus,  our  actual  implementation  of  map  is  parametrized  so 
that,  for  each  type  A,  either  it  is  given  sufficient  information  to  transform  A  directly  (a  function 
<  T  >  A  -*  <  T'  >  A),  or  it  has  enough  information  to  continue  recursively,  as  in  the 

compatibility  conditions  described  above.  We  use  the  former  only  for  weakening  the  quantifiers 
(map  <  T  -  i  >  (V=>-  A)  to  <  T  >  (V=>-  A)).  We  refer  the  reader  to  our  Agda  code  for  details. 
All  told,  weakening  takes  about  210  lines  of  Agda  code  to  define  and  prove  compatible. 

5.3.6  Substitution 

Substitution  is  similar  to  weakening  and  strengthening.  Its  invariant  has  the  same  form,  using  a 
condition  canSubst  (un>  D)  A.  This  condition  ensures  two  things:  (1)  that  D  is  irrelevant  to  the 
left-hand-sides  of  any  computational  arrow,  so  that  substitution  can  be  defined  using  weakening- 
with-irrelevant-as  sumptions  in  the  contravariant  position,  and  (2)  that  D  is  weakenable  with  all 
variable  types  bound  by  A,  so  that  the  term  being  plugged  in  for  the  variable  can  be  weakened  as 
substitution  goes  under  binders.  Substitution  takes  about  220  lines  to  define  and  prove  compati¬ 
ble. 


5.4  Discussion 


The  main  point  of  this  chapter  is  to  show  that  we  can  embed  in  Agda  a  logical  framework  that 
allows  mixing  of  admissibility  and  derivability.  These  mixed  definitions  are  not  possible  in 


LF-based  systems,  or  in  other  tools  or  frameworks  for  representing  binding  in  MLTT  (Ambler 
et  al.[  |2002|  |Capretta  and  Felty[  |2007[  |Chlipala[  \2001\  |Hickey  et  al.[  |2006|  |Momigliano  et  al.[ 
2007|).  Though  they  can  be  coded  by  hand  in  MLTT,  our  framework  improves  on  this  by  provid¬ 
ing  datatype-generic  implementations  of  the  structural  properties  of  the  hypothetical  judgement. 
Derivability  is  represented  in  a  pronominal,  contextual  manner,  so  the  type  system  can  be  used 
to  reason  about  the  scoping  of  variables.  We  have  used  the  framework  to  program  a  number 
of  examples,  including  a  scope-correct  version  of  the  normalization-by-evaluation  problem  dis¬ 


cussed  by  Shinwell  et  al.  (2003).  Mixed  definitions  are  not  as  difficult  to  handle  in  systems  based 


on  nominal  logic,  where  all  functions  assume  an  infinite  set  of  names,  and  therefore  anticipate 
extensions  of  the  context — the  failure  of  weakening  does  not  occur.  However,  because  contexts 
are  not  tracked  in  the  type  system,  reasoning  about  scoping  invariants  in  these  systems  requires 


an  external  specification  logic  (Pottier,  2007). 

It  is  interesting  to  consider  where  our  implementation  using  dependent  de  Bruijn  indices 
stands  relative  to  LF-based  systems  for  programming  with  binding.  We  hope  to  have  demon- 
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strated  that,  when  equipped  generically  with  the  structural  properties,  dependent  de  Bruijn  in¬ 
dices  are  not  that  bad.  The  reason  is  that  recursive  functions  over  syntax  typically  do  one  of  three 
things  when  they  hit  a  binder:  make  a  recursive  call  in  an  extended  context,  apply  a  structural 
property  such  as  substitution,  or  continue  pattern-matching  under  the  binder.  Our  framework 
supports  all  of  these  operations.  That  said,  there  are  certainly  some  benefits  of  LF-based  systems 
that  we  were  unable  to  mimic  directly.  First,  these  systems’  termination  checkers  are  aware  that 
the  structural  properties  do  not  change  the  size  of  a  term,  but  our  Agda  implementation  does 
not  make  this  obvious.  Second,  it  is  much  easier  to  write  and  read  pronominal  variables  with  a 
named  syntax.  Third,  LF-based  systems  have  a  more  convenient  syntax  for  applying  the  struc¬ 
tural  properties.  For  example,  the  syntax  of  weakening  and  strengthening  is  relatively  heavy  in 
our  setting.  In  Twelf  and  Delphin,  weakening  is  silent,  and  strengthening  (including  strengthen? 
used  in  the  ^-contraction  example)  is  marked  by  saying  which  variables  do  occur,  using  a  non¬ 
linear  higher-order  pattern.  In  our  Agda  implementation,  weakening  must  be  marked  explicitly, 
and  strengthening  requires  one  to  enumerate  those  variables  that  do  not  occur  instead.  In  Beluga, 
weakening  and  strengthening  are  written  as  substitutions. 

Achieving  the  same  convenience  is  an  interesting  and  important  direction  for  future  work. 
One  option  would  be  to  try  to  do  this  inside  of  the  type  theory,  by  switching  to  a  different  im¬ 
plementation  of  derivability.  For  example,  by  using  a  named  form  for  free  variables,  weakening 
would  need  to  adjust  the  proof  that  all  the  free  variables  of  a  term  are  in  a  context,  but  would  not 
change  the  term  itself — and  hopefully  these  proof  obligations  could  be  handled  automatically. 
Of  course,  named  free  variables  have  their  own  problems,  as  judgements  cannot  be  freely  a- 
converted.  An  alternative  would  be  to  extend  the  proof  assistant  with  special  syntax  for  writing 
down  de  Bruijn  terms — e.g.  elaborating  a  Beluga-like  syntax  to  de  Bruijn  form.  A  challenge  is 
that,  because  Beluga  distinguishes  the  LF  level  from  the  Beluga  level,  there  is  a  natural  place 
to  put  the  substitutions  that  mediate  between  different  scopes.  Without  this  distinction,  it  would 
require  some  thought  to  decide  what  the  syntax  should  be. 

Of  course,  one  way  in  which  all  of  the  LF-based  systems  outpace  ours  is  that  they  support 
dependent  types-generic  judgements  as  well  as  hypotheticals.  In  the  dependently  typed  case, 
even  getting  as  far  as  we  have  gotten  here  is  quite  tricky,  as  we  discuss  in  Part  [III} 


Chapter  6 

Logical  Foundations 


The  research  described  in  this  chapter  was  conducted  jointly  with  Noam  Zeilberger  and  Robert 
Harper,  and  published  in  LICS  2008  (Licata  et  al.\  2008]}. 


In  this  chapter,  we  describe  the  origins  of  the  logical  framework  described  above.  This  pro¬ 
vides  a  more  abstract  presentation,  which  is  divorced  from  the  details  of  the  Agda  embedding. 
Additionally,  the  formal  system  we  use,  intuitionistic  higher-order  focusing,  is  interesting  in  its 
own  right,  independently  of  the  application.  Moreover,  the  Agda  formalization  of  this  system  is 
itself  a  nice  example  of  mixing  admissibility  and  derivability. 

As  we  discussed  with  BL0  above,  polarity  (|Girard[  [1 993[)  is  a  way  of  dividing  up  the  logical 
connectives  into  two  camps,  called  positive  and  negative.  A  positive  connective,  such  as  disjunc¬ 
tion,  requires  making  choices  on  the  right  (ini  or  inr?)  but  is  invertible  on  the  left — the  left  rule 
can  be  applied  eagerly,  independently  of  the  rest  of  the  sequent.  Dually,  a  negative  connective, 
such  as  implication,  requires  choices  on  the  left  (what  do  I  apply  it  to?),  but  is  invertible  on  the 
right.  In  general,  inductive  types  are  positive,  whereas  coinductive  types  are  negative.  Focus¬ 
ing  ( Andrcolij  1992a[)  is  a  proof  discipline  that  involves  chaining  together  choice  and  inversion 
steps.  It  is  unsurprising  that  all  inversion  steps  can  be  applied  eagerly.  What  is  more  surprising 
is  that  that  choice  steps  of  like-polarity  connectives  can  also  be  chained  together,  without  loss 
of  completeness.  A  focused  sequent  calculus  forces  all  inversions  to  be  applied  eagerly,  and  all 
choices  for  a  string  of  like-polarity  connectives  to  be  made  at  once. 

Operationally,  polarity  and  focusing  can  be  given  an  intuitive  explanation  in  terms  of  pattern- 
matching  (Zeilberger^  2008a):  Values  of  positive  polarity  are  introduced  by  choosing  a  construc¬ 
tor,  and  eliminated  by  pattern-matching  against  their  constructors.  On  the  other  hand,  values 
of  negative  polarity  are  introduced  by  pattern-matching  against  their  destructors,  and  eliminated 
by  choosing  a  destructor.  This  is  why,  for  example,  in  ordinary  functional  programming,  func¬ 
tions  can  be  defined  by  pattern-matching,  but  it  is  impossible  to  pattern-match  against  a  func¬ 
tion  (except  with  a  variable  pattern) — implication  (meaning  admissibility)  is  a  negative  connec¬ 
tive.  The  resulting  calculus  resembles  A-normal  form,  and  makes  evaluation  order  explicit  in 
the  program  text.  Restricting  the  calculus  in  this  way  is  useful  for  proof  search  (it  limits  the 
non-determinism)  and  for  proof  equality  (focused  proofs  are  canonical  representatives  of  certain 
equivalence  classes  (Zeilberger[  2009)).  Additionally,  describing  a  logic  within  the  strictures  of 
focusing  generally  improves  one’s  understanding  of  it. 
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This  raises  the  following  question:  what  is  the  polarity  of  derivability?  On  the  one  hand,  it 
has  a  positive  character,  as  one  can  pattern-match  against  a  derivability.  On  the  other,  it  has  a 
negative  character,  as  a  derivability  can  be  eliminated  by  substitution  (choosing  a  term  to  substi¬ 
tute).  Our  investigation  of  this  question  leads  to  the  notion  of  pre-derivability  described  above: 
we  take  the  positive  aspect  of  derivability  as  fundamental,  and  define  a  connective  =>  that  is  elim¬ 
inated  by  pattern-matching.  The  negative  aspect  is  then  a  definable  notion,  which  corresponds  to 
implementing  the  structural  properties.  Moreover,  because  the  definition  of  =>■  involves  only  the 
identity  principle  (use  of  an  assumption)  and  pattern-matching,  the  calculus  is  compatible  with 
situations  where  the  structural  properties  do  not  hold. 

While  this  story — pre-derivability  is  positive,  admissibility  is  negative — is  appealingly  di¬ 
chotomous,  the  reality  is  more  complicated.  Pre-derivability  is  not  inherently  positive,  but,  rather, 
maintains  the  polarity  of  whatever  connective  it  is  applied  to.  For  example,  when  used  in  an  in¬ 
ductive  definition,  pre-derivability  stays  positive — in  contrast  to  admissibility,  which  forces  a  po¬ 
larity  shift.  But  when  used  around  a  negative  connective,  pre-derivability  also  stays  negative — as 
we  saw  above,  D  =>■  (A  D  B)  can  be  applied  to  an  A  in  an  extended  context  to  produce  a  B  in  an 
extended  context.  We  express  this  in  a  focused  calculus  by  defining  two  connectives,  positive 
and  negative  X,  which  are  the  positive  and  negative  versions  of  pre-derivability.  These  satisfy  a 
“some/any”  theorem  (PittsJ  2003])  which  says  that  they  are  interprovable  in  an  appropriate  sense. 

In  our  Agda  implementation,  we  implemented  the  structural  properties  using  generic  pro¬ 
gramming  in  the  meta-language.  An  ordinary  presentation  of  a  sequent-calculus  does  not  pro¬ 
vide  this  opportunity  for  integrating  meta-programs  into  the  language.  However,  Zeilberger’s 
higher-order  presentation  of  focusing  does  (Zeilbergerf  2008a|b[  2009).  The  idea  of  higher-order 
focusing  is  to  represent  inversion  phases,  or  pattern-matching,  by  meta-level  admissibility  func¬ 
tions  from  patterns  to  expressions.  In  particular,  these  meta- level  admissibility  functions  may 
exploit  meta-level  implementations  of  the  structural  properties,  which  proceed  by  induction  on 
types.  Higher-order  focusing  is  also  an  extremely  clean  and  concise  system,  where  connectives 
are  specified  by  their  patterns,  from  which  both  the  focusing  and  inversion  phases  are  derived. 
Moreover,  it  enables  connective-independent  proofs  of  cut  and  identity.  In  this  work,  we  extend 
higher-order  focusing  from  classical  logic  (|Zeilberger  2008a[)  and  positive-only  intuitionistic 
logic  (Zeilberger,  2008b)  to  full  intuitionistic  logic.  This  has  since  been  shown  to  be  a  subsys¬ 
tem  of  a  logic  that  admits  both  classical  and  intuitionistic  connectives  (Zeilberger,  2010),  but  the 
direct  presentation  of  the  intuitionistic  part  is  somewhat  more  accessible. 

In  Section [6~i~[  we  present  a  focused  sequent  calculus  for  intuitionistic  higher-order  focusing, 
and  show  how  it  can  be  used  to  define  pre-derivability.  We  define  the  identity  and  cut-elimination 
procedures,  and  prove  they  are  total  under  assumptions  about  the  class  of  connectives.  In  Sec¬ 
tion  6.2|  we  show  an  Agda  representation  of  this  sequent  calculus. 


6.1  Sequent  Calculus 

A  higher-order  focused  sequent  calculus  is  defined  in  two  stages.  First,  the  polarized  connec¬ 
tives  are  defined  by  axiomatizing  the  structure  of  patterns.  Positive  connectives  are  defined  by 
constructor  patterns,  and  negative  connectives  by  destructor  patterns.  Second,  there  is  a  general 
focusing  framework  that  is  independent  of  the  particular  connectives  of  the  logic. 
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We  begin  by  defining  a  focused  sequent  calculus  for  polarized  intuitionistic  logic,  including 
the  simple  structure  of  patterns  and  the  general  focusing  rules. 

6.1.1  Simple  contexts  and  patterns 

We  write  X+,  Y+,  Z+  and  X',  Y~ .  Z~  to  stand  for  positive  and  negative  propositional  variables 
(atomic  propositions),  and  A+,  B+.  C*  and  A~,B~,  C~  to  stand  for  arbitrary  positive  and  negative 
formulas.  We  use  a  to  range  over  assumptions  X+  or  C~ ,  and  dually  7  to  range  over  conclusions 
X '  or  C+.  A  linear  context  A  is  a  list  of  assumptions. 

The  positive  connectives  are  defined  through  the  judgement  A  lb  C+,  which  corresponds  to 
applying  only  linear  right-rules  to  show  C+  from  A.  For  example,  the  rules  for  atoms,  conjunc¬ 
tion,  and  disjunction  are  as  follows: 

_  Ai  lb  A+  A2  lb  B+  A  lb  A+  A  lb  B+ 

X+  lb  X+  Ai,  A2  lb  A+  <g)  B+  Alb  A+®B+  A  lb  T+  ©  B+ 

Foreshadowing  the  Curry-Howard  interpretation,  we  refer  to  derivations  of  this  judgement  as 
constructor  patterns;  linearity  captures  the  restriction  familiar  from  functional  programming 
that  a  pattern  binds  a  variable  just  once. 

Negative  connectives  are  defined  by  A  lb  C~  >  7,  which  corresponds  to  using  linear  left- 
rules  to  decompose  C '  into  the  conclusion  7.  A  proof  term  for  this  judgement  is  a  destructor 
pattern ,  which  gives  the  shape  of  an  elimination  context  (continuation)  for  negative  types: 

Ax  lb  A+  A2  lb  B-  >  7  A  lb  A'  >  7  A  lb  B-  >  7 

Ai,  A2  lb  A+  — >  B~  >  7  A  lb  A" 8iB~  >7  A  lb  A~ &.B~  >  7 

Observe  that  a  destructor  pattern  for  A+  — >  B~  includes  a  constructor  pattern  for  A+,  as  well  as 
a  destructor  pattern  for  5',  matching  the  possible  observations  on  a  function  type.  We  have 
adopted  linear  logic  notation  by  writing  0  for  positive  and  &  for  negative  conjunction.  In  the 
present  setting,  both  of  these  connectives  encode  ordinary  intuitionistic  conjunction  with  respect 
to  provability,  but  they  have  different  proof  terms:  positive  conjunction  is  introduced  by  an  eager 
pair  whose  components  are  values,  and  eliminated  by  pattern-matching  against  both  compo¬ 
nents;  negative  conjunction  is  eliminated  by  projecting  one  of  the  components,  and  introduced 
by  pattern-matching  against  either  possible  observation,  i.e.  by  a  lazy  pair. 

6.1.2  Focusing  Judgements 

In  Figure  |6.1|  we  present  the  focusing  rules.  In  these  rules,  T  stands  for  a  sequence  of  linear 
contexts  A,  but  T  itself  is  treated  in  an  unrestricted  manner  (i.e.,  variables  are  bound  once  in  a 
pattern,  but  may  be  used  any  number  of  times  within  the  pattern’s  scope). 

The  first  two  judgements  concern  the  positive  connectives.  The  judgement  T  b  [C*]  defines 
right-focus  on  a  positive  formula,  or  positive  values:  a  positive  value  is  a  constructor  pattern 
under  a  substitution  for  its  free  variables.  Focus  judgements  make  choices:  to  prove  C+  in 
focus,  it  is  necessary  to  choose  a  particular  shape  of  value  by  giving  a  constructor  pattern,  and 
then  satisfy  the  pattern’s  free  variables.  Values  are  eliminated  with  the  left-inversion  judgement 
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Right  Focus 


Left  Inversion 


Left  Focus 


Right  Inversion 


Neutral 


Assumptions 


Assumption 

a 

::=  X+  |  C- 

Conclusion 

7 

::=  X-  |  C+ 

Lineal-  context 

A 

::=  •  A,  a 

Unrestricted  context 

r 

■■■=  •  1  r,  A 

A  lb  C+  r  b  A 


r  b  [c+] 

r  b  [c+] 

(Alb  c+  — >  r,Ab7) 

r  b  7o  >  7 

r  b  r  >  i'  r  b  c+  >  7 

A  lb  C*"  >  7 o  r  b  A  r  b  70  >  7 

r  b  \c-\  >  7 

r  b  [C-]  >  7 

r  b  a 


r  b  7 


(A  lb  (7'  >  7  — >  r,Ab7)  X+eT 

r b  c~  rbr 

r  b  [c+]  cr  e  r  r  b  \c~]  >  7 
r  b  c+  fF^ 

r  b  a  r  b  a 


r  b  a 


rb-  r  b  a,  a 


Figure  6.1:  Focusing  rules 
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r  h  7q  >  7,  which  defines  a  positive  continuation  by  case-analysis.  Inversion  steps  respond 
to  all  possible  choices  that  the  corresponding  focus  step  could  make:  the  rule  for  C+  quantifies 
over  all  constructor  patterns  for  that  formula,  producing  a  result  in  each  case.  By  convention, 
we  tacitly  universally  quantify  over  metavariables  such  as  A  that  appear  first  in  a  judgement  that 
is  universally  quantified,  so  in  full  the  premise  reads  “for  all  A,  if  A  lb  C +  then  T.  A  h  7.” 
The  positive  connectives  are  thus  introduced  by  choosing  a  value  (focus)  and  eliminated  by 
continuations  that  are  prepared  to  handle  any  such  value  (inversion).  For  atoms,  the  only  case- 
analysis  is  the  identity. 

The  next  two  judgements  concern  the  negative  connectives,  where  the  relationship  between 
introduction/elimination  and  focus/inversion  is  reversed.  A  negative  formula  is  eliminated  by 
the  left-focus  judgement  T  b  \C~]  >  7,  which  chooses  how  to  observe  C~  by  giving  a  nega¬ 
tive  continuation.  A  negative  continuation  consists  of  a  destructor  pattern,  a  substitution,  and 
a  case-analysis.  The  destructor  pattern  and  substitution  decompose  a  negative  type  C~  to  some 
conclusion  70,  for  instance  a  positive  type  C+.  However,  it  may  take  further  case-analysis  of 
this  positive  type  to  reach  the  desired  conclusion  7.  Dually,  negative  types  are  introduced  by 
inversion,  which  responds  to  left-focus  by  giving  sufficient  evidence  to  support  all  possible  ob¬ 
servations.  The  right-inversion  judgement  Tba,  where  assumptions  a  are  negative  formula  or 
positive  atoms,  specifies  the  structure  of  a  negative  value.  A  negative  value  for  C~  must  show 
that  for  all  destructors  of  C~,  the  conclusion  is  justified  by  the  variables  bound  by  the  patterns  in 
it. 

The  judgement  T  by,  defines  a  neutral  sequent,  or  an  expression :  from  a  neutral  sequent,  one 
can  either  right-focus  and  return  a  value,  or  left-focus  on  an  assumption  in  T  and  apply  a  negative 
continuation  to  it.  Finally,  a  substitution  T  b  A  provides  a  negative  value  for  each  hypothesis. 

Instantiating  these  rules  using  the  above  pattern  rules,  we  see  that  they  give  the  expected 
derived  rules  for  the  connectives;  e.g.: 

rbr  rbr  r b  z~  r,x+hz-  r,Y+hz~ 
r  b  (x~&  y~)&z~  r  b  (x+  ©  f+)  -»•  z~ 


6.1.3  Patterns  for  Pre-derivability 


In  Section  6.1.1[  we  gave  a  fixed  set  of  rules  for  constructing  the  patterns  of  some  simple  connec¬ 
tives.  We  now  generalize  this  by  making  a  context  of  rules  a  pattern  of  the  pattern  judgement.  A 
rule  R  takes  the  form  P  <$=  A\  ■  ■  ■  ■$=  A+n,  where  A\, . . . ,  A+n  are  positive  formulas  and  P  is  a  de¬ 
fined  atom.  Rules  are  collected  in  a  rule  context  T.  The  rule  context  is  carried  through  the  pattern 
judgements:  A  lb  A+  becomes  A  lb  (\P)  A+  and  A  lb  A"  >  7  becomes  A  lb  ('T)  A '  >  7.  The 
rule  context  represents  both  the  signature  of  constructors,  and  the  local  assumptions  introduced 
by  binders.  This  encompassed  both  InZ  and  T  from  Chapter  [5}  but  is  more  general,  because 
binders  can  locally  introduce  higher-order  rules. 


A  rule  P  <=  A\ 


A*n  e  T  can  be  applied  to  produce  a  constructor  pattern  for  P: 


Ax  lb  (T>  A\ 


An  lb  (T>  a; 


A1;...,An  lb  (A)P 

Note  that  rules  are  unrestricted,  in  the  sense  that  they  can  be  applied  an  arbitrary  number  of  times 
while  constructing  a  pattern.  This  pattern  typing  rule  corresponds  to  the  definition  of  the  datatype 
Data  in  Chapter  [5] 
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Pos.  formula 

A+ 

::=  X+|jbl- 

1  \  A+  <g>  B+  0  \  A+  ©  B+  P  R  =>  B+ 

Rule 

R 

::=  P  4=  A\- 

■■*=K 

Neg.  formula 

A~ 

::=  A'  |  |yl+ 

A+  ->  B~  \  T  A~ &B~  |  R  X  B~ 

Rule  Context 

'P 

::=  -|  V,R 

Contextual  form. 

C± 

::=  ('P)^ 

A  lb  ('P)  yl+ 


X+  lb  (\P)  X+  ('P)  A'  lb  ('P)  [A' 

AJb^A*  A2lb  (V)B+ 
■  lb  (tf)  1  Ai,A2  lb  (tf)  A+®B+ 


A  lb  (\P)  A+  A  lb  (<P)  B+ 

(no  rule  for  0)  A  lb  (\P)  A+  ©  B+  A  lb  (\P)  A+  ©  B+ 

P  4=  A\  ■  ■  ■  4=  A+n  <E  <P 

A  lb  ,  R)  B+  Ai  lb  (A>)  A\  ...  An  lb  (A>)  A+n 
Alb  (V)R=>  B+  Ai,...,An  lb  (V)P 


A  lb  (\P)  A"  >  7 


•  lb  (\P)  X~  >  X'  ■  lb  (V)  |.4+  >  (<P)  A+ 

A  lb  ('l')  bt"  >  7  A  lb  (tf)  B-  >7 
(no  rule  for  T)  A  lb  (*P)  A" &B'  >7  A  lb  (*P)  A' &B~  >  7 

Ai  lb  (\P)  A+  A2  lb  (\P)  5“  >  7  A  lb  ('P,  R)  B-  >  7 
Ai,  A2  lb  (tf>  A+  -»  B-  >  7  Alb  (V)RXB-  >7 


Figure  6.2:  Patterns 
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Pre-derivability  is  represented  by  two  connectives,  =>■  and  X: 

Alb  (ty,R)B+  A  lb  (V,R)  B-  >  7 


Alb  (Tf)R^B+  A  lb  (V)R  X  B-  >  7 

Both  connectives  expand  the  rule  context,  introducing  a  scoped  constructor  of  type  R.  The  rule 
for  R  =>■  B+  builds  a  constructor  pattern  for  IX  under  assumption  of  R  and  essentially  (if  we 
ignore  structural  punctuation)  looks  like  an  implication  right-rule,  while  the  rule  for  R  X  B~ 
builds  a  destructor  pattern  for  B '  and  looks  like  a  conjunction  left-rule.  However,  as  we  will 
see  in  Section  |6.1.5[  these  connectives  behave  quite  differently  from  ordinary  implication  and 
conjunction,  in  part  due  to  their  non-standard  polarity. 

Most  of  the  remaining  rules  (see  Figure  |6.2|)  for  the  connectives  of  polarized  logic  are  unre¬ 
markable,  since  they  simply  carry  the  rule  context  through  unchanged.  The  “shift”  connectives  j 
and  j.  deserve  explanation,  though.  Following  Girard  (|2001|),  these  mark  the  boundary  between 
positive  and  negative  polarity,  and  correspondingly  they  mark  the  point  where  pattern-matching 
must  end  (Zeilbergerj  2008a).  Because  the  rule  context  can  change  during  the  course  of  pattern- 
matching,  it  is  necessary  to  associate  assumptions  and  conclusions  with  a  specific  rule  context. 
We  indicate  this  with  contextual  formulas  (\P)  A+  and  (T)  A ',  so  that  the  rules  for  the  shift  con¬ 
nectives  are: 


<\P)  A'  lb  (\P)  [A'  •  lb  (tf)  TbP  >  (tf)  A+ 

For  example,  pattern-matching  on  (\D)  R  =>■  [A'  produces  a  variable  of  contextual  type  (T.  R)  A~. 
The  same  phenomenon  occurs  in  Chapter  [5}  when  pattern-matching  on  (T)  D  =>•  A  yields  an 
Agda  variable  of  type  (\l/,  D)  A. 

In  spite  of  this  richer  notion  of  patterns,  the  generic  focusing  rules  of  Figure  |6T] remain  un¬ 
changed  if  we  adopt  a  notational  sleight-of-hand:  we  now  take  C*  and  C~  to  range  over  contextual 
formulas. 


6.1.4  Identity  and  Cut 

The  context  T  can  be  used  to  define  arbitrary  recursive  types.  For  example,  consider  an  atom  D 
defined  by  one  constant 

d  :  D  4=  j(D  — >  |D) 

D  is  essentially  the  recursive  type  pX.X  — >  A",  which  can  be  used  to  write  non-terminating 
programs. 

Because  the  rule  context  permits  the  definition  of  general  recursive  types,  it  should  not  be 
surprising  that  the  identity  and  cut  principles  are  not  admissible  in  general.  Through  the  Curry- 
Howard  interpretation,  however,  we  can  still  make  sense  of  the  identity  and  cut  principles  as 
corresponding,  respectively,  to  the  possibly  infinite  processes  of  //-expansion  and  /3-reduction. 
We  now  state  these  principles,  “prove”  them  by  operationally  sound  but  possibly  non-terminating 
procedures,  and  then  discuss  criteria  under  which  these  proofs  are  well-founded. 

Principle  6.1.1:  Identity. 

1.  (neg.  identity)  If  C'  G  b  then  T  b  CX . 

2.  (pos.  identity)  b  h  C+  >  CX 

3.  ( identity  substitution)  If  A  C  b  then  b  b  A. 
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Procedure.  The  first  identity  principle  reduces  to  the  second  and  third  as  follows: 

ID3  ID2 

A  lb  C"  >  7  r,AbA  rb7>7 
C'GT  r,Ab  [C-]  >7 

V(A  lb  C-  >  7)  :  r,Ab7 

r  b  cr 

The  second  identity  reduces  to  the  third  as  follows: 

ID3 

Alb  C+  T,  A  b  A 
r,A  b  \c+] 

V(A  lb  C+)  :  r,  A  b  C+ 

r  b  c+  >  c+ 

Finally,  the  third  identity  reduces  to  the  first  applied  over  all  hypotheses  C~  e  A.  □ 

Principle  6.1.2:  Cut. 

1.  (neg.  reduction )  IfTLC'  and  T  b  [C]  >  7  then  Thy. 

2.  (pos.  reduction)  //Tb  [C+]  and  T  b  C*  >  7  then  Thy. 

3.  ( composition ) 

(a)  IfT  h  7  o  and  V  b  7o  >  7  then  Thy. 

(b)  IfT  h  [C~]  >  7  0  and  T  h  y0  >  7  then  T  h  [C~]  >  7. 

(c)  IfT  h  7l  >  7o  and  T  h  7o  >  7  then  V  b  7l  >  7. 

4.  (substitution)  For  cdl  six  focusing  judgements  J,  ifY  h  A  and  T,  A  b  J  then  V  b  J. 

Procedure.  Consider  the  first  cut  principle.  The  two  derivations  must  take  the  following  form: 

V(A  lb  cr  >  70)  :  r,  A  b  70  A  lb  C'  >  70  T  b  A  T  b  y0  >  7 
r  b  c-  r  b  [c~\  >  7 

By  plugging  A  lb  C  >  7o  from  the  right  derivation  into  the  higher-order  premise  of  the  left 
derivation,  we  obtain  T,  A  h  7o.  Then  T  h  7o  by  substitution  with  T  b  A,  whence  T  h  7  by 
composition  with  T  b  7o  >  7.  The  case  of  positive  reduction  is  analogous  (but  appeals  only  to 
substitution). 

In  all  cases  of  composition,  if  7o  =  X~  then  the  statement  is  trivial.  Otherwise,  we  examine 
the  last  rule  of  the  left  derivation.  For  the  first  composition  principle,  there  are  two  cases:  either 
the  sequent  was  derived  by  right-focusing  on  the  conclusion  7o  =  C+,  or  else  by  left-focusing  on 
some  hypothesis  C~  G  T.  In  the  former  case,  we  immediately  appeal  to  positive  reduction.  In  the 
latter  case,  we  apply  the  second  composition  principle,  which  in  turn  reduces  to  the  third,  which 
then  reduces  back  to  the  first. 

Likewise,  to  show  substitution  we  examine  the  rule  concluding  T,  A  h  J.  Dually  to  the 
composition  principle,  the  only  interesting  case  is  when  the  sequent  was  derived  by  left-focusing 
on  CL  G  A,  wherein  we  immediately  apply  a  negative  reduction. 

□ 
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Observe  that  we  have  made  no  mention  of  particular  connectives  or  rule  contexts,  instead 
reasoning  uniformly  about  focusing  derivations.  As  we  alluded  to  above,  however,  in  general 
these  procedures  are  not  terminating.  Here  we  state  sufficient  conditions  for  termination.  They 
are  stated  in  terms  of  a  strict  subformula  ordering,  a  more  abstract  version  of  the  usual  structural 
subformula  ordering. 

Definition  6.1.3:  Strict  subformula  ordering.  We  define  an  ordering  C'f  □  Cf  be¬ 
tween  contextual  formulas  as  the  least  transitive  relation  closed  under  the  following  properties: 

•  If  A  lb  Cl  >  7  and  C2'  6  A  then  C{  A  C2 

•  If  A  lb  Cl  >  7  and  C2  =  7  then  C{  A  C2 

•  If  A  lb  C')  and  C2  €  A  then  C\  A  C2 

For  any  contextual  formula  C±,  we  define  A  c  to  be  the  restriction  of  A  to  formulas  below  C±. 

The  strict  subformula  ordering  does  not  mention  atoms  X+  or  A"',  since  they  only  play  a 
trivial  role  in  identity  and  cut. 

Definition  6.1.4:  Well-founded  formulas.  We  say  that  a  contextual  formula  C±  is 
well-founded  if  Ac  is  well-founded. 

PROPOSITION  6.1.5.  Positive  and  negative  identity  are  admissible  on  well-founded  formulas. 

Proof.  By  inspection  of  the  above  procedure.  Positive  and  negative  identity  are  proved  by  mutual 
induction  using  the  order  Ac,  with  a  side  induction  on  the  length  of  A  to  show  substitution 
identity.  □ 

PROPOSITION  6.1.6.  Positive  and  negative  reduction  are  admissible  on  well-founded  formulas. 


Proof.  By  inspection  of  the  above  procedure.  Positive  and  negative  reduction  are  proved  by 
mutual  induction  using  the  order  Ac,  with  a  side  induction  on  the  left  derivation  to  show  com¬ 
position,  and  a  side  induction  on  the  right  derivation  to  show  substitution.  □ 


Definition  6.1.7:  Purely  positive  rules.  A  rule  R  is  called  purely  positive  if  it  con¬ 
tains  no  shifted  negative  formulas  l  A'  as  premises  (or  structural  subformulas  of  premises).  For 
example,  exp  •<=  (exp  =£■  exp)  is  pure,  but  D  j(D  — >  j£))  is  not. 

Lemma  6.1.8.  Suppose  (T)  A*  contains  only  purely  positive  rules  (i.e.,  in  T,  or  as  structural 
subformulas  of  A±).  Then  (T)  A*  is  well-founded. 

Proof.  By  induction  on  the  structure  of  A±.  Every  pattern  typing  rule  (recall  Figure  [6A])  exam¬ 
ines  only  structural  subformulas  of  A±,  except  when  A+  =  P.  But  any  P  defined  by  purely  posi¬ 
tive  rules  P  ■$=  A\  ■■■■$=  A+n  in  fact  has  no  strict  subformulas,  since  the  A *  such  that  A*  lb  (\&)  A\ 
can  contain  only  atomic  formulas  X+.  □ 


The  restriction  to  pure  rules  precludes  premises  involving  admissibility.  However,  it  in¬ 
cludes  all  inference  rules  definable  in  the  LF  logical  framework,  generalizing  Schroeder-Heister’s 
proof  of  cut-elimination  for  the  fragment  of  definitional  reflection  with  — >-free  rules  (Schroeder- 
Heister,  1993)  (since  purely  positive  rules  do  not  exclude  =>’s).  Moreover,  as  we  explained,  the 


identity  and  cut  principles  are  always  operationally  meaningful,  even  in  the  presence  of  arbi¬ 
trary  recursive  types.  Technically,  we  could  adopt  a  coinductive  reading  of  the  focusing  rules 
(ef.  (Girard,  2001)),  in  which  case  identity  is  always  productive,  and  cut-elimination  is  a  partial 
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operation  that  attempts  to  build  a  cut-free  proof  bottom-up.  We  conjecture  that  cut-elimination 
is  total  given  a  positivity  restriction  for  rules. 


6.1.5  Shock  therapy 


In  §6.2  of  “Locus  Solum”,: Girard  ( 200 1  [)  considers  several  “shocking  equalities” — counterintuitive 
properties  of  the  universal  and  existential  quantifiers  that  emerge  when  they  are  given  non¬ 
standard  polarities.  For  example,  positive  V  commutes  under  ©,  while  negative  3  commutes 
over  &.  In  our  setting,  =>■  behaves  almost  like  a  positive  universal  quantifier,  and  A  almost  like 
a  negative  existential.  These  would  become  real  quantifiers  in  an  extension  to  dependent  types. 
And  indeed,  we  can  reproduce  analogues  of  these  commutations. 


Definition  6.1.9.  For  two  positive  contextual  formulas  C\  and  Cf  we  say  that  Cl  <  CX2  if 
■  F  C\  >  Cf  For  negative  C\  and  C2,  we  say  C[  <  C~2  if  C\  h  Cf  We  write  C I  ~  C2 
when  both  Cf  <  C2  and  C2  <  C'f.  These  relations  are  extended  to  (non-contextual)  polarized 
formulas  if  they  hold  under  cdl  rule  contexts. 


Proposition  6.1.10:  “Shocking”  equalities. 

1.  ( A+  ©  B+ )  «  (R  =►  A+)  ©  (R  =>  B+) 

2.  ( R  X  A-)&(R  AB-)nRX  ( A-&B- ) 


Proof  Immediate — indeed,  in  each  case,  both  sides  have  an  isomorphic  set  of  patterns.  □ 


Why  are  these  equalities  shocking?  If  we  ignore  polarity  and  treat  all  the  connectives  as 
ordinary  implication,  disjunction,  and  conjunction,  then  (2)  is  reasonable  but  (1)  is  only  valid 
in  classical  logic.  And  if  we  interpret  =>■  and  A  as  V  and  3,  then  both  equations  are  shockingly 
anticlassical: 

1.  Vx.(A  ©_£?)«  (Vt.A)  ©  if/x.B) 

2.  (3x.A)&(3x.B)  fa  3 x.(A&B) 

On  the  other  hand,  from  a  computational  perspective,  these  equalities  are  quite  familiar.  For 
example,  (1)  says  that  a  value  of  type  A  ©  B  with  a  free  variable  is  either  the  left  injection  of  an 
A  with  a  free  variable  or  the  right  injection  of  a  B  with  a  free  variable. 

We  can  state  another  pair  of  surprising  equivalences  between  the  connectives  =>■  and  A  under 
polarity  shifts: 

Proposition  6.1.1 1:  Some/ any. 


1.  i{R  A  A-)  «  R  =>  IA- 

2.  T (R  =►  2p)  «  R  A  T2P 


Again,  this  coincidence  under  shifts  is  not  too  surprising,  since  it  recalls  the  some/any  quan¬ 
tifier  I/I  x.  A  of  nominal  logic  (Pitts,  2003 ),  as  well  as  the  self-dual  V  connective  of  Miller  and  Tiu 


(20031.  I/It. A  can  be  interpreted  as  asserting  either  that  A  holds  for  some  fresh  name,  or  for  all 
fresh  names — with  both  interpretations  being  equivalent. 


6.2.  AGDA  REPRESENTATION  OF  FOCUSING 
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6.1.6  Relationship  to  modal  logic 

Though  we  did  not  originally  recognize  it  as  such,  the  above  system  in  fact  corresponds  to  a 
hybrid  modal  logic  presented  in  the  style  of  Simpson  (Simpson,  1993),  where  the  rule  context 
T  is  the  world.  We  can  define  the  hybrid  connectives  /lt'Ab  (which  we  called  [T]*A  above)  and 
l  i/j.A  by  pattern  rules  as  follows: 


A  lb  (Tl)  {^/ip]A'  >  7 

A  lb  (ib)  A+@+\|/'  A  lb  (&)  [+^.A+  A  lb  (Ti)  A'CT'F'  >  7  A  lb  ('k)  >  7 


A  lb  (V)  A+ 


A  lb  (tf)  [<I>/^]A+ 


A  lb  (W)  A'  >  7 


Then  R  =>■  A*  is  definable  as  j  i/j.A+@(?py  R):  the  pattern  rule  for  has  the  same  premise  as 
the  single  derived  rule  for  this  composition  of  connectives.  A  similar  result  holds  for  X. 

This  connection  with  modal  logic  sheds  more  light  on  the  some/any  theorem  described  above, 
once  we  observe  that  both  @  and  J,  also  satisfy  this  equivalence  under  shifts.  Our  explanation  for 
this  ambipolar  nature  of  X,  @,  and  J,  is  that  they  are  “macro”  connectives,  which  can  in  fact  be 
interpreted  away — as  we  exploited  in  our  Agda  implementation  above.  The  interpretation  of  each 
of  these  connectives  ( R  A,  A@'k,  j  ip.  A)  is  defined  to  be  the  interpretation  of  A  in  a  modified 
context  or  under  a  substitution,  so,  after  interpretation,  the  outer  structure  of  the  proposition  is 
the  structure  of  A. 

This  connection  with  modal  logic  also  provides  new  insight  into  the  Agda  implementation 
of  our  framework:  the  interpretation  of  Types  as  functions  from  Ctx  — >  Set  corresponds  to  im¬ 
plementing  the  Kripke  semantics  of  the  modal  logic.  This  observation  suggests  a  way  of  repre¬ 
senting  modal  logic  in  a  dependently  typed  programming  language,  which  we  have  exploited  in 
a  formalization  of  the  ML5  programming  language  (Licata  and  Harper,  2010). 


6.2  Agda  Representation  of  Focusing 

In  this  section,  we  show  how  to  represent  higher-order  focusing  in  Agda.  Higher-order  focus¬ 
ing  is  itself  a  nice  example  of  mixing  admissibility  and  derivability:  the  context  of  negative 
assumptions  T  requires  derivability,  but  the  higher-order  representation  of  inversion  requires  ad¬ 
missibility.  For  simplicity,  we  show  only  non-contextualized  patterns,  though  the  contextualized 
case  is  no  more  difficult  to  represent. 

In  Figure  |6.3[  we  represent  the  types  as  a  straightforward  inductive  definition.  We  combine 
the  mutually  inductive  definitions  of  positive  and  negative  types  into  one  inductive  definition 
indexed  by  a  polarity;  this  makes  it  easier  to  define  operations  that  work  on  both  polarities  of 
types. 

Next,  we  represent  contexts: 

data  Hyps  :  Set  where 
:  Hyps 

_  :  Hyps  ->  Hyps  ->  Hyps 
true-  :  Type-  ->  Hyps 
_atom+  :  Atom  ->  Hyps 
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Atom  :  Set 
Atom  =  String 

data  Pol  :  Set  where 
Pos  :  Pol 

Neg  :  Pol 

mutual 

Type-  :  Set 
Type-  =  Type  Neg 

Type-1-  :  Set 
Type-1-  =  Type  Pos 

data  Type  :  (p  :  Pol)  ->  Set  where 
X+  :  Atom  ->  Type4" 

j  :  Type-  ->•  Type+ 

T  :  Type4" 

:  Type4-  ->  Type4"  ->  Type4" 
‘0  :  Type4" 

_©_  :  Type4-  ->  Type4"  ->  Type4" 
nat  :  Type4" 

X-  :  Atom  ->  Type- 

:  Type4"  ->  Type- 
_D__  :  Type4"  ->  Type-  ->  Type- 
T  :  Type- 

:  Type-  -»  Type-  ->  Type- 


Figure  6.3:  Agda  Representation  of  Polarized  Types 


6.3.  DISCUSSION 
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Ctx  :  Set 
Ctx  =  List  Hyps 

data  Cone  :  Set  where 
true"1"  :  Type4-  ->  Cone 

atom-  :  Atom  ->  Cone 

data  _gA_  :  (A  :  Hyps)  ->  Hyps  ->  Set  where 
iX  :  V  {X}  ->  (X  atom+)  gA  (X  atom+) 
iT  :  V  {A-  :  Type-}  ->  (A- true')  G A  (A- true') 

11  :  V  (A  A1  A2}  -*■  AgAAI  ->  A  gA  (Al,  A2) 

12  :  V  (A  Al  A2}  -*■  A  gA  A2  ->  A  gA  (Al,  A2) 

data  GG_  :  Hyps  ->  Ctx  Set  where 

:  v  (A  A’  r}  A’  g  r  -»■  a  gA  A’  -»■  a  gg  r 


Contexts  are  lists  of  hypotheses,  where  hypotheses  are  join-lists  of  atomic  assumptions  of  the 
form  A  true"1"  and  X  atom'.  Dually,  conclusions  are  of  the  form  A  true+  or  X  atom' — intuitionistic 
logic  admits  only  a  single  conclusion.  The  type  G  A  represents  de  Bruijn  indices  into  A,  and  the 
type  GG  represents  a  de  Bruijn  index  A  G  T  paired  with  an  index  into  A. 

Patterns  are  defined  in  Figure [C4|by  a  straightforward  inductive  definition,  directly  transcrib¬ 
ing  the  above  rules. 

We  show  the  focusing  rules  in  Figure  [63]  We  define  a  sum  type  Judge  for  the  right-hand 
sides  of  all  of  the  focusing  judgements,  so  that  we  can  define  the  focusing  rules  with  a  single 
judgement  T  F  J.  It  is  convenient  to  break  out  T  F  7  >  7’  as  a  separate  judgement,  and  to 
move  the  right  rule  for  positive  atoms  from  the  inversion  judgement  (in  the  rules  in  Section  |Q|) 
to  the  substitution  judgement.  This  way  the  value  judgements  (right  focus  and  inversion)  and 
the  continuation  judgements  (left  focus  and  inversion)  both  operate  on  a  type,  rather  than  an 
assumption  or  conclusion.  This  also  necessitates  the  new  rule  UseT,  which  passes  from  Use  to 
inversion.  Other  than  these  changes,  each  datatype  constructor  is  a  straightforward  transcription 
a  sequent  rule  from  Section  6.1  Val"  and  Cont+  use  both  admissibility  (to  quantify  over  patterns) 
and  derivability  (to  extend  the  context  with  the  negative  variables  they  produce). 

In  the  companion  code,  we  give  a  simple  implementation  of  the  identity  and  cut  principles 
described  above.  We  do  not  prove  termination  of  these  functions,  though  one  could  do  so  by 
proving  well-foundedness  of  the  structural  subformula  order. 


6.3  Discussion 


Zeilberger  (jZeilbcrgcrj  |2009 )  argues  that  polarity  and  focusing  provide  a  logical  account  of  both 
evaluation  order  and  pattern-matching.  It  is  the  latter  that  facilitated  our  original  investigation 
of  a  proof  theory  mixing  pre-derivability  and  admissibility:  higher-order  focusing  allows  a  con¬ 
cise  but  high-level  description  of  inductive  types,  off-loading  the  hard  work  of  describing  in¬ 
duction  principles  on  meta-level  admissibility  functions.  Its  account  of  evaluation  order  makes 
focusing  a  promising  technique  for  studying  programming  languages  with  effects — for  example, 
in  the  presence  of  certain  effects,  focused  proofs  are  normal  forms  of  contextual  equivalence 
classes  (Zeilberger,  2009).  However,  we  have  not  exploited  this  aspect  of  focused  proofs  in 
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data  _lh_  :  Hyps  -»  Type+  ->  Set  where 
Cx+  :  V  {X}  ->  (X  atom+)  Ih  (X+ X) 

Cx"  :  V  {A"}  ->  (A'  true')  Ih  (}  A') 

C<>  :  -lh‘1 

Cpair  :  V  {Ax  A2  A+  B+} 

->  Ai  Ih  A+  -»•  A2  Ih  B+ 

(A!,A2)  Ih  (A+  <g>  B+) 

Cinl  :  V  { A  A+  B+} 

->  A  Ih  A+ 

->  A  Ih  (A+  ©  B+) 

Cinr  :  V  {A  A+  B+} 

->  A  Ih  B+ 

->  A  Ih  (A+  ©  B+) 

Czero  :  •  Ih  nat 
Csucc  :  V  {A} 

-y  A  Ih  nat 
-y  A  Ih  nat 

data  _lh_>_  :  Hyps  -»  Type'  ->  Cone  ->  Set  where 
De-  :  V  {X}  ->  •  Ih  (X-  X)  >  (X  atom') 

De+  :  V  {A+}  ->  •  Ih  (|  A+)  >  (A+  true+) 

Dapp  :  V  {Al  A2  A+  B'}  {7  :  Cone} 

->  Al  Ih  A+  ->  A2  Ih  B-  >  7 
-»•  (Al,  A2)  Ih  (A+  D  B‘)  >  7 
Dfst  :  V  (A  A'  B'}  {7  :  Cone} 

-y  A  Ih  A'  >  7 
-y  A  Ih  (A'  &  B")  >  7 
Dsnd  :  V  (A  A'  B"}  {7  :  Cone} 

-y  A  Ih  B"  >  7 
-y  A  Ih  (A'  B")  >  7 


Figure  6.4:  Agda  Representation  of  Patterns 


6.3.  DISCUSSION 
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data  FocJudg  :  Set  where 

Val  :  {p  :  Pol}  ->  Type  p  ->  FocJudg 

Cont  :  (p  :  Pol}  ->  Type  p  ->  Cone  ->  FocJudg 

Use  :  Cone  ->  Cone  ->  FocJudg 

Sub  :  Hyps  ->  FocJudg 

Exp  :  Cone  ->  FocJudg 

data  _F_  :  Ctx  ->  FocJudg  ->  Set  where 
Val+  :  V  (T  A}  (C+  :  Type+} 

-»•  A  IF  C+  ->  r  F  Sub  A 
-»•  TF  Val  C+ 

VaF  :  V  {T}  (C-  :  Type'} 

->  (V  {A7}  ->  AIFC">7  ->  A  ::  T  F  Exp  7) 

->  T  F  Val  C" 

Cont+  :  V  (T  7}  (C+  :  Type+} 

-*•  (V  { A}  -»•  AIFC+  ->  A  ::TF  Exp  7) 

->  T  F  Cont  C+  7 

Conr  :  V  (A0  70  7  T}{A-  :  Type'} 

->  Ao  IF  A'  >  70  ->  T  F  Sub  Ao  ->  T  F  Use  70  7 
->  TF  Cont  A-  7 
UseX  :  V  (T  X} 

->  T  F  Use  (X  atom-)  (X  atom') 

UseT  :  V{r7}  { A+  :  Type+} 

->  T  F  Cont  A+  7 
->  T  F  Use  (A+  true+)  7 
SubX  :  V  (T  X} 

->  (X  atom+)  GG  T 
->  TF  Sub  (X  atom+) 

SubT  :  V  {T}  (C  :  Type'} 

-»•  T  F  Val  C" 

->  TF  Sub  (C"  true) 

•  :  v  {r} 

-»•  r  F  Sub  • 

:  V  { Al  A2  T} 

-»•  T  F  Sub  Al  -»•  T  F  Sub  A2 
-»•  r  F  Sub  (Al.  A2) 

R  :  V  {T}  (C+  :  Type"1" } 

-»•  TF  Val  C+ 

->  T  F  Exp  (C+  true+) 

L  :  V  (T  7}  (A-  :  Type-} 

-»  (A-  true-)  GG  T  ->  T  F  Cont  A"  7 
->  TF  Exp  7 


Figure  6.5:  Agda  Representation  of  Focusing  Rules 
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this  dissertation,  where  we  have  concentrated  on  derivability  and  admissibility  in  pure  type  the¬ 
ory.  Thus,  our  initial  investigation  into  mixing  derivability  and  admissibility  was  exploiting  the 
“pattern-matching”  but  not  “evaluation  order”  aspects  of  focusing. 

Another  way  to  achieve  the  same  ends  is  to  use  inductive  types  inside  of  an  existing  type 
theory — where  someone  has  similarly  already  done  the  hard  work  of  describing  induction  prin¬ 
ciples.  This  led  to  the  approach  described  above  in  Chapter  [5]  which  was  more  immediately 
practical,  as  it  allowed  us  to  exploit  an  existing  proof  assistant  more  directly.  Programming  in 
the  encoded  focused  proof  system  described  above  offers  no  real  advantages  until  one  considers 
effects. 


Part  III 

Directed  Dependent  Type  Theory 
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Chapter  7 

2-Dimensional  Directed  Type  Theory 


The  research  described  in  this  part  was  conducted  jointly  with  Robert  Harper. 


7.1  Motivation  and  Background 

To  make  the  embedded  logical  framework  described  above  useful  for  programming  with  logics, 
rather  than  just  syntax,  we  need  general,  as  well  as  hypothetical,  judgements.  As  discussed  in 
Chapter  [2]  the  structural  properties  of  the  generic  judgements  are  more  subtle  than  those  of  the 
hypothetical.  For  example,  recall  the  rule  for  substitution: 

r  b  e  :  r  r,x:r,r\-J 
r,  T'[e/x]  b  J[e/x]  Subst 

This  rule  says  that  the  substitution  into  the  derivation  proves  the  substitution  into  the  context 
and  judgement.  When  implemented  with  de  Bruijn  indices,  weakening,  exchange,  and  contrac¬ 
tion  exhibit  similar  phenomena:  stating  them  for  derivations  requires  a  corresponding  action  on 
judgements. 

To  achieve  these  substitution  principles,  it  is  necessary  that  each  inference  rule  commutes 
with  the  structural  properties,  in  the  sense  that  the  substitution  into  the  conclusion  of  the  rule  is 
the  conclusion  of  the  substitution  into  the  premises.  This  permits  substitution  to  be  implemented 
by  reapplying  the  rule  to  the  substitution  instances  of  the  premises.  For  example,  consider  elim¬ 
ination  for  the  universal  quantifier: 

T,  x  :  term  b  A  prop  T  b  \/x.A  true  T  b  t  :  term 

T  b  A[t/x]  true 

Suppose  r  =  y  :  term,  and  that  s  is  a  closed  term.  Then  substituting  for  y  in  the  premises  gives: 

x  :  term  b  A[s/y\  prop 
\/x.(A[s/y])  true 
t[s/y\  :  term 
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and  we  are  to  show  that  A[t/x\  [ s/y\  is  true.  To  put  the  substituted  premises  together  to  yield  the 
conclusion,  we  need  to  know  that  substitutions  compose  in  the  following  sense: 

A[t/x][s/y\  =  A[s/y][t[s/y]/x\ 

This  raises  the  question  of  which  terms  commute  with  substitution.  Clearly  datatype  con¬ 
structors  do,  and,  as  we  have  just  argued,  substitutions  themselves  do  as  well.  What  about 
functions  defined  recursively?  If  the  index  is  an  admissibility  function,  what  does  it  mean  to 
commute  with  substitution  at  higher  type? 

In  this  chapter,  we  develop  a  framework  for  answering  these  questions.  Our  approach  is  to 
view  the  structural  properties  as  an  instance  of  a  much  more  general  idea,  that  of  directed  phe¬ 
nomena  in  dependent  type  theory.  This  has  several  benefits:  First,  it  gives  a  clear  account  of  what 
constraints  must  be  placed  on  the  indices  of  structural  judgements.  Moreover,  this  account  is  not 
tied  to  a  specific  embedded  logical  framework.  This  is  useful  because,  even  in  this  dissertation, 
we  have  used  a  variety  of  notions  of  entailment,  including  standard  hypotheticals  (Chapter[5]),  as 
well  as  modal  logic  (in  Chapter  [3])  and  affine  logic  (in  Chapter  [4]).  Second,  our  approach  sug¬ 
gests  that  with  a  little  more  work  we  will  able  to  automatically  equip  all  of  these  logics  with  the 
structural  properties,  just  by  writing  down  the  datatype  definitions. 


7.1.1  Structural  properties  as  functoriality 


To  illustrate  what  we  mean  by  directed  phenomena,  we  recast  the  structural  properties  in  the 
language  of  category  theory,  following  Altenkirch  and  Reus](|1999[);  [Fiore  et  al^(|1999[);  [Hofmann 


( 1999).  We  assume  the  reader  is  familiar  with  categories,  functors,  and  natural  transformations, 
but  will  define  the  other  concepts  we  need. 

The  universe  of  contextual  Types  defined  in  Chapter[5]are  interpreted  as  functions  Ctx  — >  Set. 
Our  first  observation  is  that  the  structural  properties  endow  these  functions  with  the  structure  of 
a  functor  from  a  category  of  contexts  to  the  category  of  sets.  To  cover  the  structural  properties  of 
weakening,  exchange,  and  contraction,  we  can  define  Ctx  to  be  the  category  where  an  object  is 
a  context  T.  and  a  morphism  — >  T1'F2  is  a  variable-for- variable  substitution,  represented  using 
the  type  Tx  C  vk2  defined  above.  A  functor  Ctx  — >  Sets  consists  of  a  family  of  sets  Fq,,  which 
preserves  context  maps:  if  'F  C  T'  then  there  is  a  function  Fq,  — *  Fq Of  course,  functoriality  is 
exactly  the  definition  of  weakening  (for  a  whole  context  at  once),  as  used  e.g.  in  Chapter[3j 

The  Types  of  our  universe  show  that  the  collection  of  functors  Ctx  — >  Sets  is  closed  under 
various  type-forming  operations,  whose  action  on  morphisms  is  given  in  the  definition  of  map. 

•  F  <8)  G  is  the  product  functor,  whose  action  on  an  object  \F  is  given  by  the  product  of  Fq, 
and  Gq,,  and  action  on  morphisms  is  given  componentwise. 


•  F  ©  G  is  the  sum  functor,  whose  action  on  an  object  \F  is  given  by  the  sum  of  Fq,  and  Gq,, 
and  action  on  morphisms  is  given  by  case-analysis. 

•  DA  is  a  constant  functor,  with  trivial  action  on  morphisms. 

•  D #  says  that  the  type  1)  e  —  is  functorial,  with  action  on  morphisms  given  by  applying 
the  substitution. 


•  D +D  says  that  the  recursive  type  Data  —  I)  is  functorial,  with  action  on  morphisms  given 
for  variables,  by  applying  the  substitution,  or  for  constants,  recursively. 


7. 1 .  MOTIVATION  AND  BACKGROUND 
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In  contrast,  the  type  F  Z>  G  defines  an  action  on  objects  (\k  goes  to  Fq,  — >  Gq,),  but  is 
not  functorial,  because  the  — >  is  contravariant  in  its  domain.  Given  a  contravariant  functor 
F  :  Ctxop  — >  Sets  and  a  covariant  functor  G  :  Ctx  — >  Sets,  we  can  form  F  D  G  with  action 
on  morphisms  given  by  pre-  and  post-composition.  However,  given  a  covariant  functor  for  the 
domain,  then  the  intended  pre-composition  faces  the  wrong  direction  (we  have  Fq,1  — >  Fq,2  when 
we  need  Fq,2  — >  Fq,1 ).  This  provides  another  explanation  for  why  the  structural  properties  fail 
for  admissibility  functions:  the  structural  properties  are  implemented  by  the  functorial  actions  of 
the  type  constructors,  but  Z>  does  not  determine  a  functor. 

It  also  explains  the  co-  and  contravariant  weave  in  the  definition  of  the  structural  properties 
above:  the  tactics  defined  above  sort  out,  after  the  fact,  whether  a  type  defines  a  functor,  and 
out  of  what  category.  That  is,  the  remaining  structural  properties  can  be  defined  by  looking 
at  different  notions  of  morphism  for  the  category  of  contexts.  If  we  define  Ctx-D  to  have, 
as  morphisms  T  — >  T',  proofs  that  T  and  T'  only  differ  by  variables  not  subordinate  to  D, 
then  a  functor  Ctx-D  — >  Sets  is  a  type  that  is  weakenable  and  strengthenable  by  variables 
not  subordinate  to  D.  If  we  define  the  morphisms  to  be  term-for- variable  substitutions,  then 
functoriality  gives  substitution  as  well  as  weakening,  exchange,  and  contraction.  Of  course, 
these  notions  can  be  combined  as  well. 

7.1.2  Structural  Properties  of  the  Generic  Judgement 

The  advantage  of  this  categorical  view  is  that  it  extends  cleanly  to  the  dependently  typed  case. 
A  simple  type,  like  a  type  Prop  of  propositions,  determines  a  functor  Ctx  ->  Sets.  An  indexed 
judgement  like  T  h  A  true  determines  a  functor  (E  F\Ctx.  Prop(  F))  — >  Sets,  whose  action  on 
objects  gives  the  set  of  derivations,  and  action  on  morphisms  corresponds  exactly  to  the  structural 
properties  of  the  generic  judgement.  Thus,  our  next  task  is  to  understand  E-types  in  category 
theory. 

Given  a  category  C  and  a  functor  F  :  C.  — >  Sets,  the  category  of  elements  of  F,  or  total 
category  of  the  Grothendieck  construction  on  F,  is  the  category-theoretic  analogue  of  the  type 
E  A:C.  F  A.  It  is  written  fc  F: 

•  an  object  of  fc  F  is  a  pair  (o,  a)  where  o  G  Ob  C,  and  a  e  F(o). 

•  a  morphism  from  (o,  a)  to  (o',  a')  is  a  pair  (c,  /)  where  c  :  o  — >c  o'  and  /  is  a  proof  that 
A(c)o  =  o'  as  elements  of  the  set  A(o'). 

•  i  d(0,a)  =  (id0,  refl).  This  is  well-typed  because  A  (id)  =  id,  so  the  second  component 
requires  a  proof  that  a  =  a. 

•  (c,  /)  o  (c',  /')  =  (coc'Jo  A(c)f').  In  the  second  component  we  write  o  for  transitivity 
on  equality  proofs;  this  composition  proves  the  goal  because  A  preserves  compositions. 

Thus,  the  set  of  objects  of  fc  F  is  exactly  E  A:Ob  C.  Ob  (FA).  A  morphism  is  a  morphism 
of  the  first  component  that  is  respected  by  the  assignment  of  elements  given  by  the  second  com¬ 
ponent.  Specializing  this  definition  to  E  F\Ctx.  Prop(  F),  a  morphism  from  ('T,  A)  to  (T',  A1) 
is  a  morphism  w  :  'k  — »  such  that  A'  =  map  w  A.  Thus,  if  a  type  family  h  is  a  func¬ 

tor  (E  F\Ctx.  Prop(  F ) )  — >  Sets,  then  a  context  map  w  :  T  — >  T'  determines  a  function 
h(Tr,  A)  — >•  H  T'.  map  //’  A).  The  substitution  into  the  derivation  proves  the  substitution  into  the 
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judgement,  just  as  we  desired. 

This  discussion  motivates  studying  categories  Ctx  and  f  and  functors  from  them  into  Sets. 
However,  more  generality  is  required.  Consider  a  first-order  logic  with  judgements  of  the  form 
D;  T  b  A,  where  Q  is  an  individual  context,  and  T  is  dependent  on  Q.  As  a  first  cut,  we  might 
represent  this  situation  by  a  category  I  Ctx  whose  objects  are  ST  s  and  whose  morphisms  give 
their  structural  properties,  as  well  as  a  functor  TCtx  :  ICtx  — >  Sets  giving  the  the  truth 
contexts  for  each  individual  context.  However,  the  truth  contexts  themselves  should  not  be  a  set, 
but  a  category,  with  morphisms  representing  their  structural  properties.  Thus,  we  need  functors 
into  Cat,  the  category  of  categories,  not  just  Sets. 

Second,  when  writing  inference  rules,  we  need  to  mention  elements  of  these  sets  and  cat¬ 
egories  (e.g.  particular  proposition  constructors).  These  elements  cannot  be  arbitrary  objects, 
but,  as  discussed  above,  must  commute  with  the  structural  properties.  This  condition  falls  out 
naturally  when  we  consider  a  categorical  interpretation  not  just  of  types,  but  also  of  terms. 

However,  once  we  are  at  the  point  where  we  are  considering  a  categorical  interpretation  of 
both  types  and  terms,  what  we  are  doing  is  of  course  defining  a  programming  language  with 
a  category-theoretic  semantics.  This  connects  our  work  with  recent  investigations  in  higher¬ 
dimensional  type  theory. 


7.1.3  Higher-dimensional  type  theory 


One  of  the  most  cherished  ideas  in  programming  languages  is  the  correspondence  between  logic, 
type  theory,  and  category  theory.  Recent  research  has  suggested  a  second  holy  trinity,  between 


dependent  type  theory,  higher-dimensional  category  theory,  and  homotopy  theory  (Awodey  and 


Warren [  2009 [  Garner[  2009 [  Hofmann  and  Streicher[  1998[  Lumsdaine}  |2009[  van  den  Berg 


and  Gamer],  |2010|  |Voevodskyl  |2010|).  The  homotopy  hypothesis  (|Baez  and  Shulmanj  |2007|) 


postulates  a  correspondence  between  higher-dimensional  categories  and  higher-dimensional  ho¬ 
motopy  types,  and  recent  work  has  extended  this  to  a  correspondence  with  type  theory. 

On  the  type  theoretic  side,  this  correspondence  suggests  enriching  dependent  type  theories 
with  higher-dimensional  types.  Type  theory  is  traditionally  thought  of  as  talking  about  sets, 
which  are  types  of  dimension  0:  sets  have  elements  (objects,  or  0-cells),  which  may  or  may  not 
be  equal.  Types  of  dimension  1  are  like  categories:  they  have  elements,  but  also  have  a  no¬ 
tion  of  map  between  elements  (morphisms,  or  1 -cells),  and  every  function  on  such  a  type  must 
respect  this  notion  of  map.  A  setoid — a  set  equipped  with  an  equivalence  relation — is  an  ex¬ 
ample  of  a  1 -dimensional  type,  but  in  general  the  notion  of  morphism  can  have  computational 
content.  An  example  is  a  category  of  sets  with  isomorphisms  as  morphisms — in  this  case,  there 
can  be  many  distinguishable  maps  between  two  sets.  The  type  of  contexts  and  structural  prop¬ 
erties  is  1-dimensional  as  well.  Types  of  dimension  2  have  elements,  maps,  and  maps  between 
maps  (2-cells) — an  example  is  the  collection  of  all  categories,  with  functors  as  maps  and  natu¬ 
ral  transformations  as  maps  between  maps.  This  is  an  example  of  a  2-category.  In  general,  an 
n-dimcnsional  type  corresponds  to  an  n-category,  or,  equivalently,  a  homotopy  n-type. 

One  important  reason  to  identify  the  dimension  of  a  type  is  that  different  notions  of  equality 
are  appropriate  for  types  of  different  dimensions.  For  sets  (0-types),  there  is  nothing  but  equality 
of  elements.  For  categories  (1-types),  elements  can  be  equal,  but  they  might  also  be  isomor¬ 
phic,  if  there  are  maps  (1-cells)  between  them  that  compose  to  the  identity.  For  categories,  the 
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appropriate  notion  of  equality  is  equivalence :  maps  back  and  forth,  whose  compositions  are  iso¬ 
morphic  to  the  identity,  using  the  2-cells  (two  categories  are  equivalent  if  there  are  functors  back 
and  forth  that  are  naturally  isomorphic  to  the  identity).  The  goal  of  higher-dimensional  type 
theory  is  to  provide  support  for  n-equivalence  in  full  generality:  n-equivalent  terms  should  be 
provably  equal  in  the  theory,  and  all  families  of  types  and  objects  should  respect  n-equivalence. 

On  the  category-theoretic  and  homotopy-theoretic  side,  this  correspondence  suggests  using 
a  higher-order  type  theory  as  a  meta-language,  both  for  category  theory  and  homotopy  theory 
themselves,  and  through  them  for  all  formalized  mathematics — as  has  recently  been  espoused  by 
Voevodsky  (|Voevodsky[,  2010).  In  such  a  theory,  mathematicians  will  always  be  able  to  reason 
up  to  equivalence,  no  matter  the  appropriate  notion  of  equivalence  for  the  objects  in  question. 

The  next  question  is  what  higher-dimensional  type  theory  should  look  like.  Dependent  type 
theories  distinguish  two  different  notions  of  equality:  definitional  equality  (M  =  N  :  A),  which 
is  a  judgement,  and  propositional  equality  (Id  i  M  N ),  which  is  a  type.  Semantically,  the  right 
interpretation  is  that  definitional  equality  means  equality,  but  propositional  equality  means  n- 
equivalence — and  we  will  sometimes  use  this  terminology  for  the  two.  In  Martin-Lof’s  exten- 
sional  type  theory,  definitional  and  propositional  equality  are  identified,  and  all  proofs  of  propo¬ 
sitional  equality  are  trivial;  this  is  expressed  by  the  equality  reflection  and  uniqueness  of  identity 
proofs  rules. 

P  :  Id  4  M  N  _  P  :  ldA  M  N 


M  =  N  :  A 


reflect 


P  =  ref  I M  :  A 


uip 


Note  that  the  second  rule  requires  the  first  to  type-check.  These  rules  are  not  sound  for  the 
aforementioned  interpretation,  as  they  say  that  equivalent  objects  are  equal,  and  all  equivalences 
are  the  identity.  This  is  true  for  sets  (0-types),  but  not  for  higher  dimensions. 

What  is  perhaps  surprising  is  that  Martin-Lof’s  intensional  type  theory  is  in  fact  sound  for 
higher-dimensional  types:  there  is  nothing  in  intensional  type  theory  that  restricts  the  dimension 
of  a  type.  Instead  of  equality  reflection,  propositional  equality  is  eliminated  by  subst 


x:A  h  C  type  P:\dAMN  Q:C[M/x] 
substc  P  Q  :  C[N/x] 


(or,  more  generally,  the  J  rule,  which  allows  a  motive  C  that  is  dependent  on  the  equivalence 
P  as  well).  This  rule  says  that  any  dependent  type  respects  equivalence,  which  is  true  in  any 
dimension.  The  lack  of  UIP  has  sometimes  been  seen  as  a  problem,  addressed  by  axioms  such 
as  Streicher’s  K,  which  is  equivalent  to  asserting  uniqueness  of  identity  proofs  propositionally: 


uip-prop  :  (x  y  :  A)  (p  q  :  Id  A  x  y)  ->  Id  (Id  A  x  y)  p  q 

or  by  making  all  equality  proofs  definitionally  equal,  as  in  OTT  (jAltenkirch  et  al.[[2007 1.  How¬ 
ever,  it  can  now  be  seen  as  a  feature,  which  allows  intensional  type  theory  to  be  interpreted  in 
higher-dimensional  structures. 

Higher-dimensional  interpretations  were  pioneered  in  Hofmann  and  Streicher’s  groupoid  in¬ 
terpretation  (Hofmann  and  Streicher  1998),  which  interprets  intensional  type  theory  in  the  2- 
category  of  groupoids,  functors,  and  natural  transformations:  A  closed  type  denotes  a  groupoid, 
whose  objects  are  the  terms  of  the  type,  and  whose  morphisms  are  the  ( Inequivalences  between 
them.  Identity  and  composition  ensure  that  propositional  equality  is  reflexive  and  transitive, 
while  the  groupoid  structure,  which  demands  that  every  map  be  invertible,  ensures  symmetry. 
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The  hom-sets  of  a  type  A  are  presented  in  the  syntax  as  the  inhabitants  of  the  identity  type 
Idyi  M  N.  Open  types  and  terms  are  interpreted  as  functors,  whose  object  parts  are  (roughly) 
the  usual  sets  and  elements  of  the  set-theoretic  semantics,  and  whose  morphism  parts  show  how 
those  types  and  terms  preserve  equivalence.  When  the  context  is  not  a  discrete  groupoid,  the 
functorial  action  on  equivalences  is  computationally  relevant.  For  example,  consider  a  universe 
set  of  sets  and  isomorphisms,  by  taking  the  propositional  equalities  between  Si  and  S2  to  be 
invertible  functions  £1(51)  — >  El(5'2).  The  rule  subst  states  that  all  type  families  respect  isomor¬ 
phism:  for  any  x  :  set  h  C  :  set,  A  =  B  implies  C[A\  =  C[B).  Computationally,  the  lifting  of 
the  isomorphism  is  given  by  the  functorial  action  of  the  type  family  C . 

Recent  work  has  generalized  this  to  higher  dimensions.  On  the  categorical  side,  [Garner 


(2009)  generalizes  the  groupoid  interpretation  to  a  class  of  2-categories,  rather  than  just  Groupoid. 


Lumsdaine  (2009)  and  van  den  Berg  and  Garner  (2010)  show  that  the  syntax  of  intensional  type 


theory  forms  a  weak  ^’-category.  On  the  homotopy-theoretic  side,  Awodey  and  Warren  (2009) 
show  how  to  interpret  intensional  type  theory  into  abstract  homotopy  theory  (Quillen  model  cat¬ 
egories). 

However,  while  intensional  type  theory  is  sound  for  higher  dimensions,  it  is  definitely  incom¬ 
plete:  First,  there  is  no  way  to  introduce  an  identity  type  by  writing  down  a  higher  equivalence. 
This  is  a  shame,  as  every  type  constructor  has  an  action  on  equivalences,  but  this  action  cannot  be 
exploited  in  the  syntax.  Second,  there  is  no  way  to  observe  the  dimension  of  types — e.g.  certain 
types  that  do  satisfy  UIP  cannot  be  proved  to  do  so.  Voevodsky’s  univalence  axiom  ([Voevodskyj 
2010!)  is  one  way  to  rectify  this.  While  theoretically  sufficient,  the  axiomatic  approach  ignores 


the  definitional  behavior  of  the  functorial  action  of  each  type  constructor,  and  thus,  there  is  still 
some  work  to  be  done  to  understand  a  syntactic  treatment  of  higher-dimensional  type  theory. 


7.1.4  Directed  Type  Theory 

Intensional  type  theory  is  inherently  groupoidal,  in  that  propositional  equality  is  provably  sym¬ 
metric.  However,  in  our  motivating  application  of  programming  with  logics,  the  category  Ctx 
is  not  a  groupoid:  weakening  and  substitution  are  asymmetric.  This  motivates  the  study  of 
directed  dependent  type  theory,  which  relaxes  the  symmetry  requirement  on  proofs  of  equiva¬ 
lence  to  obtain  a  directed  notion  of  transformation  between  elements  of  a  type.  Directedness 
has  many  other  applications,  as  well:  First,  it  extends  the  correspondence  between  type  theory, 
co’-groupoids,  and  homotopy  theory  to  directed  type  theory,  cu-categories,  and  directed  homotopy 
theory.  A  directed  type  theory  would  provide  a  more  general  meta-language  for  higher  category 
theory  and  homotopy  theory,  allowing  the  expression  of  non-symmetric  notions.  While  directed 
homotopy  theory  is  not  as  well  studied,  it  may  have  applications  in  physics,  due  to  the  directed 
aspects  of  space-time.  On  a  more  practical  level,  programming  language  semantics  is  full  of 
directed  notions — reduction,  monotone  functions  on  domains — and  directed  type  theory  may 
have  applications  in  mechanization  of  these  languages.  It  may  also  shed  light  on  the  problem  of 
combining  dependent  types  with  concurrency,  which  has  been  analyzed  in  homotopy-theoretic 
terms  ( Gaucher]  [2003 1) . 

Another  reason  to  study  directed  type  theory  is  that,  as  George  Mallory  would  say,  the  fa¬ 
miliar  dependent  type  constructors  have  an  action  on  directed  transformations,  and  with  a  few 
simple  changes  to  the  theory  we  can  expose  this  nature.  Relaxing  symmetry  requires  two  main 
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changes  to  the  type  theory:  First,  the  type  theory  makes  the  variances  of  type  families  explicit, 
so  that  we  have  the  language  to  say,  e.g.,  that  II  is  contravariant  in  its  domain,  but  covariant  in 
its  range.  Second,  the  type  theory  exposes  higher-dimensional  structure  at  the  judgemental  level, 
not  through  a  propositional  equality  type.  The  reason  for  this  is  that  a  propositional  equality 
type,  in  its  standard  formulation,  relies  subtly  on  the  symmetry  of  equivalence.  This  comes  up 
when  proving  that  the  type  T  b  I d  4  M  N  type  is  functorial  in  T.  The  crux  of  the  matter  is 
implementing  the  following  function: 


idfunc  :  Id  M1  M2  -»•  Id  N{  N2 
idfunc  =  A (a,  6,  c).b  o  c  o  a”1 


Id  Mi  JVi  -»•  Id  M2  N2 


This  is  possible  for  equivalence,  using  inverses.  However,  given  a  transformation  Mi  =4*  M2 
this  function  is  not  implementable.  One  solution  to  this  problem,  which  we  discuss  below,  is 
to  investigate  directed  hom  types  that  relate  two  terms  of  opposite  variance.  However,  a  more 
fundamental  approach  is  to  express  the  structure  we  want — transformations  between  two  terms 
of  the  same  variance — as  a  judgemental  notion,  which  is  not  required  to  be  functorial. 

This  judgemental  approach  to  equality  is  arguably  a  better  presentation  even  for  symmetric 
type  theory:  The  standard  definition  of  the  identity  type  is  incomplete  even  for  sets,  as  it  does  not 
allow  one  to  prove  that  two  functions  are  equal  if  they  agree  on  all  arguments  (and  similarly  for 


other  negative  types).  This  can  be  patched  by  adding  functional  extensionality  as  an  axiom  (Hof¬ 


mann 


1995 ),  or  by  defining  the  identity  type  in  a  type-directed  manner  (Altenkirch  et  al. ,  2007). 
In  either  case,  the  definition  of  Id  4  M  N  is  no  longer  parametric  in  the  type  A.  Thus,  the  rules 
for  the  identity  type  violate  the  principle  that  all  propositional  connectives  should  be  indepen¬ 
dent.  The  common  way  to  restore  orthogonality  is  to  analyze  the  offending  type  constructor  as 
a  judgement,  not  as  a  type.  Additionally,  the  judgemental  approach  offers  more  freedom  than 
the  approach  taken  in  OTT,  where  identity  is  a  type  defined  in  terms  of  other  types:  there  is  no 
reason  to  insist  that  the  2-cells  be  definable  as  1 -cells. 

In  this  chapter,  we  take  a  first  step  in  the  investigation  of  directed  type  theory,  considering 
the  simplest  non-trivial  case,  that  of  a  2-dimensional  theory.  2-dimensional  directed  dependent 
type  theory ,  or  2DTT ,  has  three  layers:  types  (0-cells),  terms  (1-cells),  and  transformations  (2- 
cells),  and  can  be  interpreted  in  a  2-category.  Each  type  itself  denotes  a  1 -category,  with  terms 
as  objects  and  transformations  as  morphisms.  For  simplicity,  the  syntax  reflects  the  structure  of 
a  strict  2-category,  where  the  associativity  and  unit  laws  of  1-cells  are  definitional  equalities,  not 
a  weak  2-category  (bicategory),  where  they  hold  only  up  to  equivalence.  Additionally,  we  treat 
equality  (but  not  equivalence)  as  in  extensional  type  theory — for  example,  we  define  a  universe 
of  extensional  sets,  with  reflect  and  uip.  We  validate  2DTT  by  an  interpretation  in  the  strict 
2-category  Cat  of  categories,  functors,  and  natural  transformations,  generalizing  the  groupoid 
interpretation — though  we  conjecture  that  this  semantics  should  extend  to  a  class  of  2-categories 
with  the  appropriate  structure. 

In  Section  [7~2j  we  present  the  proof  theory  of  2DTT,  followed  by  its  semantics  in  Section [73j 


Additional  Related  Work  An  early  connection  between  A-calculus  and  2-categories  was  made 
by  Seely|  (j!987[),  who  shows  that  simply-typed  A-calculus  forms  a  (non-groupoidal)  2-category, 
with  terms  as  1 -cells  and  reductions  as  2-cells. 
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Variance  annotations  on  variables  are  common  in  simply-typed  subtyping  systems  (Cardelli 

1998j).  In  the  dependently  typed  case,  vari- 


1990;  Duggan  and  Compagnoni  1999  Steffen 


ance  annotations  have  been  used  to  support  termination-checking  using  sized  types,  as  in  Mini- 
Agda  (Abell  20T0). 

Functoriality  of  simple  and  polymorphic  type  constructors  has  been  studied  in  previous  work 
on  generic  traversals  of  data  structures  (Belle  et  al.[  1996}  Laemmel  and  Peyton  Jones}  2003|) 
and  compilation  of  subtyping  (|Crary}|2000);  our  work  generalizes  this  to  the  dependently  typed 
case.  In  tactic-based  proof  assistants,  it  is  possible  to  construct  a  library  of  tactics  for  showing 
that  types  and  terms  respect  equivalence  relations  and  order  relations,  such  as  Jackson’s  library 
for  NuPRL  (Jackson,  1996)  and  setoid  rewriting  in  Coq  (Coq  Development  Team  2009}) .  Our 
approach  here  is  akin  to  building  these  tactics  into  the  language,  equipping  every  type  and  term 
with  an  action  on  transformations.  This  allows  the  computational  content  and  equational  behav¬ 
ior  of  these  actions  to  be  drawn  out.  Jackson  (Jackson,  1995|)  also  describes  several  examples 
of  computationally  relevant  notions  of  equality  that  arise  when  formalizing  algebra,  such  as  per¬ 
mutations  on  lists,  the  associate  relation  in  the  factorization  theory  of  integral  domains,  and  the 
equality  relation  on  a  group  quotiented  by  a  computationally  interesting  normal  subgroup.  Port¬ 
ing  these  examples  will  be  an  interesting  test  of  a  higher-dimensional  type  theory. 


7.2  Base  Theory 

In  this  section,  we  give  a  proof  theory  for  2DTT.  But  first,  we  discuss  a  few  general  methodolog¬ 
ical  points: 


Admissible  versus  derivable  rules  First,  2DTT  requires  several  involution,  identity,  and  com¬ 
position  (substitution)  principles.  These  could  potentially  be  made  admissible  and  defined  as 
meta-operations,  but  we  have  instead  chosen  to  internalize  them  as  syntactic  forms  and  explain 
their  meaning  via  definitional  equality  rules.  For  example,  we  make  use  of  explicit  substitutions, 
rather  than  treating  substitution  as  a  meta-level  operation.  That  said,  we  leave  weakening  admis¬ 
sible,  as  the  de  Bruijn  form  that  results  from  explicit  weakening  is  difficult  to  read.  The  treatment 
of  dependent  types  in  Pitts  ([2000|’s  survey  article  provides  an  introduction  to  this  style  of  syntax, 
with  an  explicit  substitution  judgement  and  internalized  composition  principles.  Presentationally, 
this  style  makes  it  easier  to  comprehend  the  entire  theory.  Semantically,  it  constrains  the  models 
of  the  theory  to  strict  2-categories,  because  these  principles  and  equations  must  hold  not  just  in 
the  syntax,  but  in  any  extension  of  the  theory. 

That  said,  an  alternative  presentation  using  meta-operations  will  be  a  helpful  guide  to  imple¬ 
mentation,  and  our  current  formalism  anticipates  this  alternative  to  some  extent.  In  particular, 
we  set  out  a  methodology  for  defining  types  and  contexts  in  2DTT,  which  ensures  that  the  in¬ 
volution,  identity,  and  composition  principles  are  defined  (via  definitional  equality)  in  terms  of 
other  constructs  in  the  theory.  Because  of  this  goal,  some  of  the  equations  in  the  present  theory 
are  redundant,  in  that  they  can  be  derived  from  others,  but  these  redundant  equations  would  be 
necessary  if  these  principles  and  their  equations  were  made  admissible. 
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Intrinsic  versus  extrinsic  encodings  Thus  far  in  this  thesis,  we  have  made  heavy  use  of 
intrinsic  encodings ,  where  programs  are  identified  with  typing  derivations,  and  there  are  no 
raw/untyped  programs.  Such  a  presentation  is  undesirable  for  a  syntactic  presentation  of  a  de¬ 
pendent  type  theory,  because  the  type  equality  rule  says  that  the  same  term  has  two  different 
types: 

T  b  M  :  A  T  b  A  =  B  type 
T  b  M:B 


If  we  identified  terms  with  derivations,  then  this  cast  would  show  up  in  the  syntax  of  a  program, 
and  therefore  have  to  be  reasoned  about. 

The  right  way  of  thinking  about  intrinsic  encodings  for  dependent  types  is  that  the  indices  are 
not  syntax,  but  semantics'.  The  intrinsically  typed  set  of  terms  TmT  A  is  indexed  by  a  semantic 
type  for  which  the  equations  proscribed  by  T  b  A  =  B  type  are  true.  This  way,  type  conversion 
is  inherited  from  the  meta-language.  One  way  to  realize  this  is  to  view  the  syntax  of  the  theory  as 
an  abstract  specification  of  a  structure  with  certain  operations,  e.g.  in  the  style  of  categories  with 
families  (Dybjerj,  1996}).  However,  in  this  style  of  presentation  the  syntax  is  defined  abstractly 
to  be  the  least  structure  with  these  operations,  rather  than  by  a  concrete  inductive  definition.  An 
alternative  is  define  the  syntax  inductively,  but  indexed  by  semantics,  not  syntax — T m  T  A  is 
defined  inductively,  but  T  and  A  are  semantic  entities  (jMcBride'  2010).  This  requires  defining 
the  syntax  mutually  recursively  with  its  interpretation,  using  induction-recursion  (Dybjer[|2000). 

Because  we  would  like  a  concrete  description  of  the  syntax,  and  would  like  this  presentation 
to  be  accessible  to  those  without  grounding  in  advanced  techniques  such  as  induction-recursion, 
we  opt  for  a  traditional  extrinsic  formulation.  However,  this  decision  forces  us  to  confront  some 
syntactic  questions  that  we  might  have  otherwise  avoided:  When  the  typing  judgements  are 
indexed  by  syntax,  there  is  a  question  of  whether  the  rules  presuppose  or  guarantee  that  their 
subjects  are  well-formed.  For  example,  in  T  b  M  :  A,  A  is  syntactically  a  type,  but  is  it  well- 
formed  in  the  sense  of  the  judgement  T  b  A  type?  There  are  several  possible  answers  to  this 
question: 

1.  Whenever  we  write  T  b  M  :  A,  we  will  presuppose  the  existence  of  a  separate  derivation 
ofT  b  A  type.  So  the  judgement  T  b  M  :  A  can  (potentially)  be  formally  derived  when  A 
is  not  well-formed,  but  we  never  consider  such  cases. 


2.  The  subject  of  the  judgement  T  b  M  :  A  is  really  a  well-formed  A:  there  is  an  extra 
argument  V  ::  T  b  A  type  (perhaps  treated  proof-irrelevantly,  so  the  identity  of  derivations 
does  not  matter). 


3.  The  judgement  T  b  M  :  A  ensures  that  F  b  /I  type  holds,  in  the  sense  that  the  theorem  “if 
T  b  M  :  A  then  T  b  A  type”  is  provable  by  induction. 

4.  The  judgement  T  b  M  :  A  ensures  that  T  b  A  type  holds,  in  that  T  b  A  type  is  directly 
derivable  from  the  premises  of  each  rule,  without  assuming  an  invariant  about  the  system 
as  a  whole. 


5.  The  judgement  T  b  M  :  A  ensures  that  T  b  A  type  is  a  premise  of  the  rule. 

A  related  issue  is  which  type  annotations  are  present  in  the  syntax  of  terms:  are  the  domains  of 
A  annotated?  Is  type  information  available  at  every  level  in  the  syntax  tree? 

When  answering  these  questions,  there  is  a  tension  between  parsimony,  convenience  (of  writ- 
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ing  down  terms),  and  implementation  efficiency — generally  pushing  towards  fewer  premises  and 
annotations — and  the  truth  (or  provability  by  a  particular  technique)  of  meta-theoretic  proper¬ 
ties  on  the  other — generally  pushing  towards  more.  For  example,  it  is  sometimes  the  case  that  a 
premise  is  unnecessary,  but  this  can  only  be  seen  after  developing  the  meta-theory  of  the  calculus. 

In  this  work,  our  main  meta-theoretic  result  is  a  soundness  theorem  interpreting  the  syntax 
in  Cat.  This  theorem  is  akin  to  translating  the  extrinsic  syntactic  formulation  into  a  (particular) 
intrinsic  semantic  formulation.  Of  course,  not  every  syntactic  term  has  a  meaning — only  the 
well-typed  ones — so  the  interpretation  is  only  total  on  well-typed  terms.  However,  because  the 
only  non-syntax-directed  rules  are  equality  rules,  which  are  interpreted  as  real  semantic  equality, 
the  interpretation  is  proof-irrelevant  in  the  derivation:  the  meaning  of  a  term  under  any  two 
derivations  is  the  same.  Indeed,  it  is  helpful  to  know  that  this  uniqueness  property  holds  while 
proving  the  semantic  interpretation  total. 

One  way  to  achieve  this  is  to  first  define  a  partial  interpretation  on  raw  terms,  so  that  it  is  obvi¬ 


ously  independent  of  the  derivation,  and  then  prove  this  relation  total  on  well-typed  terms  (Hof¬ 
mann,  1995;  Streicher|  [1991 ).  However,  because  the  output  of  the  semantics  is  an  intrinsically 
typed  notion,  it  must  be  possible  to  generate  not  just  the  meaning  of  a  term,  but  its  semantic 
type,  from  the  term  itself,  independently  of  the  typing  derivation.  This  can  be  achieved  by  adopt¬ 
ing  the  following  stance:  First,  the  context  is  treated  as  a  presupposition  in  the  sense  of  option 
1  above:  the  rules  never  explicitly  judge  the  context  to  be  well-formed,  but  supply  enough  in¬ 
formation  to  maintain  this  invariant.  Second,  every  other  meta-variable  free  in  a  rule  must  be 
an  explicit  argument  to  the  proof-term;  as  a  consequence,  terms  are  explicitly  annotated  with 
type  annotation  at  each  level  of  the  tree.  For  example,  the  function  and  application  constructors 
for  II  x:A.  B  are  A  x:A.  MB  and  appA  x  B(M,  N).  Second,  each  rule  has  a  formation  premise 
for  each  meta-variable  appearing  in  the  rule,  such  that  under  these  premises  the  premise  and 
conclusion  judgements  are  well-formed  (option  4  above).  For  example, 


r  b  A  type  T  ,  x:A  h  B  type  T  b  M  :  S  x:A.  B 
T  h  snd a,x.bM  :  5[fst  M/x] 


However,  to  make  the  syntax  and  rules  more  readable,  we  adopt  an  informal  convention  that 
these  extra  arguments  and  premises  are  suppressed.  For  example,  we  write  the  usual 

T  P  M:Yx:A.B 
T  h  snd  M  :  B [fst  M/x] 

to  mean  the  above.  Additionally,  though  every  equation  is  a  rule  for  a  typed  definitional  equality 
judgement  T  h  t  —  t'  :  J,  we  elide  the  contexts,  types,  and  formation  premises,  and  present  the 
rules  as  simple  equations.  The  formation  premises  can  be  reconstructed  by  unrolling  the  typing 
rules  of  the  left-hand  side  of  the  equation. 

This  syntax  is  more  verbose  than  the  standard  natural  deduction  formulation — but,  on  the 
other  hand,  the  standard  natural  deduction  formulation  is  more  verbose  than  necessary,  as  it 
fails  to  differentiate  between  situations  where  type  information  flows  from  the  conclusion  to  the 
premises,  and  situations  where  it  flows  from  the  premises  to  the  conclusion.  A  bidirectional 
presentation  of  2DTT  is  an  interesting  subject  for  future  work. 
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Involution 


r  ctx  r°p  H  0 :  Aop  rop  i-  s  0/op  ^AoP  0op 
rop  ctx  r  b  6op :  a  r  b  <5op :  o  =^A  o' 

(p°p)°p  =  p  O-involution 

(0op)op  =  9  1 -involution 

(dop)°P  =  5  2-involution 


Identity  and  composition  for  T  b  6  :  A 


r  d  a  r2  b  e2  r3  rx  b  ox  ■.  r2  r  b  9  ■.  a  r0  p  5 :  0i  02 
r  h  idA  :  a  r,  h  e2[0i\  ■.  r3  r0h  9[8\:0[91]=>Ao\92] 


0O[0[0']] 

=  e0[<rn 

1 -sub st  assoc/unit 

0o[idr] 

=  0o 

idr[0] 

=  0 

0[S[S']] 

=  0[S]  [S'] 

1-resp  assoc 

0[refl@/] 

=  refle[0/] 

1-resp  preserves  refl. 

0[0'][S] 

=  0[0'[S]] 

1-resp  for  1-subst 

id°p 

=  idpop 

op  interactions 

(0t[02])op 

=  0°p[02p] 

(0[s])op 

=  0°P[<S°P] 

Identity  and  Composition  for  r  b  S  :  0  =>&  9' 


r  b  ref  1^  :  9  ==r/\  9 

(S3  o  <52)  o  Si  = 

(5  o  refl)  i 

(ref I  o  <f)  e 

mn 

So[reflid]  = 

reflidp  [S]  E 

{Si  o  <5S)  [A3  O  <f4]  E 

refl0[<5]  i 

refl°p  e 

(Si  o  S2)op 
(Sr[S2])op 


r  b  di  :  9i 
r  b  fa  :  02 


>A  02 
>A  03 


rb<5:0  =^A  O' 

To  h  <5o  :  0o  =^r  0'0 


r  b  fa  o  Si  :  0i  =^a  03  r0  b  (5[50]  :  0[0O]  ^a  0'%] 


S3  o  (c>2  o  di)  tranv  assoc/unit 

5 

5 


So 

<5 


2-resp  assoc/unit 


Si  [S3]  o  <5^  [<54]  interchange 
0[<f]  delegate 


refl^op 

<5°p  o  <5°p 

S?W] 


op  interactions 


Figure  7.1:  2DTT:  Identity,  Composition,  and  Involution  Principles  (1) 
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Composition  for  T  h  A  type 


r  h  9  :  A  A  h  A  type  A  ctx  Ah  C  type  T  h  5  :  0\  ==>a  92  T  h  M  :  C[9i] 
T  h  A[6\  type  T  h  map^  c  5  M  :  C[0g] 


mn  =  mm 

j4[idp]  =  A 
maPA.C  M  =  M 

maPA.C  (82  °  <fi)  M  =  mapA  c  S2  (mapA  c  di  M) 


0-subst  assoc/unit 


0-resp  functoriality 


(mapc  (8  :  6, 


(maP a.c  5  M)m\ 

9  2)  M)[8'  :  9[  =►  0'] 

maPA.C[0:Z\']  8  M 


mapA.c  5[refle0]  M[0 0]  1-substfor  map 

resp1  (x.mapp  (<5[refl0/  ])  x)  (M[8'])  1-respfor  map 
maPA  '.cre^\e[S\M  def.  map  for  A[6] 


Composition  for  T  h  M  :  A 


T  h  #  :  A  A  \~  M  :  A 


A  \~  M  :  A  T  h  5  :  0i 


O2 


h  M[6] :  A[0\  T  h  M[8]  :  (mapA.A  5  (M[9i\))  => m]  M[92 } 


M[9[9']\ 

=  M[9}[9'} 

1- sub st  assoc/unit 

M[  idr] 

=  M 

=  M[« 

1-resp  assoc/unit 

Mfreflg] 

=  reflM[0] 

1-resp  preserves  refl. 

M[0][<5] 

=  Mm] 

1-respfor  1-subst 

Identity  and  Composition  for  T  h  a  :  M  =^a  N 


r  h  ai  :  AI\  =^A  AI‘2 

_  T  h  a2  :  M-2  =^a  AI3 

T  h  refill  :  M  =>a  M  T  h  a2  o  a\  :  M\  =>a  M3 


To  h  50  :  90  =^r  9'0 
r  h  a  :  M  ==^A  N 

r0  h  a [d0]  :  (mapr.A  50  ( M[90 ]))  ^A[o>0]  N\9f0\ 


(«3  o  a2 )  o  a\ 
(a  o  refl) 

(refl  o  a) 


a 3  o  (a2  o  ai) 

a 

a 


a[<5[<S']]  =  «[£][$'] 

a[refl;d]  =  a 


trans  assoc/unit 


2-resp  assoc/unit 


o  (X 2)183  o  <54] 

ref  I M  [^] 


at  [£3]  o  resp1  (x.map  d3  x)  (o^f^])  interchange 
M[5 \  delegate 


Figure  7.2:  2DTT:  Identity,  Composition,  and  Involution  Principles  (2) 
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All  judgements  respect  equality: 

r  =  r'  a  =  a'  r  b  0 :  a'  r  =  r'  r7  b  a  type  r  =  r'  r  b  a  =  A'  type  r'  b  m  ■.  A' 
r  b  6  :  A  rbl  type  r  \~  M:A 

r  =  r'  a  =  a'  r  b  et  =  ■.  a  r  b  e2  =  e'2  ■.  a  r  b  <5 :  e[  =^A'  or2 

r  b  5  :  e1  =>a  o2 

r  =  r'  r  b  a  =  A'  type  rbiEi'ii  r  b  n  =  n'  ■.  a  r'b  a-.M'  ==^A'  n' 

r  b  a  :  M  =>A  N 


Equality  respects  equality:  Each  equality  judgement  has  an  analogous  respect-for-equality  rule,  which 
says  that  it  respects  equality  in  the  context  and  classifier. 

Congruence:  Each  equality  judgement  is  a  congruence,  specified  by  reflexivity,  symmetry,  transi¬ 
tivity  rules,  and  a  compatibility  rule  for  each  term  constructor. 


Figure  7.3:  2DTT:  General  equality  rules 
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Empty  context: 


ctx 

r  f  • 

•  r  h  •  :  •  =>. 

0 

=  . 

1-T] 

5 

EE 

2-i i 

.op 

EE 

0,1, 2 -involution 

id. 

EE 

identity 

■10} 

EE 

1 -sub  st 

•[<5] 

= 

1-resp 

refl. 

=  • 

reflexivity 

•  O  • 

EE 

trans 

•[<5] 

= 

2-resp 

Covariant  term  variables: 


r  b  s  e  o' 

r  ctx  T  \~  A  type  x:A+  eT  C  h  0  :  A  T  \~  M  :  A[0\  Th  a:  (mapA  A  6  M )  =>a[V]  n 

T  ,  x:A+  ctx  r  h  x:  A  f  h  0,M+/x  :  A,x:A+  T  P  ( 5,a+/x )  :  (0,M+/x)  ^a,x-.a+  (0',N+/x) 


idp  ’x:A+[0,M+/x\ 

= 

6 

1-p 

x[0,  M+/x\ 

= 

M 

1-p 

0:(T  ,x:A+) 

idr[0],  x[0}* /x 

1-r) 

id},"1'4  [(5,  a*/x\ 

= 

5 

2-P 

x\5,  a+ /x\ 

a 

2-P 

$  '■  0  =^(T,x:A+)  O' 

= 

idp [<5] ,  x\S\* /x 

2-rj 

idrA:^+ 

= 

idp,  x+/x 

1-id 

(0,M+/x)[0o} 

= 

0[0o\,M[do}+/X 

1-subst 

(0,  M+/x)[Sq\ 

= 

0(6o},M(6oY/x 

1-resp 

refl  e,M*/x 

= 

refle,  ref\M+/x 

refl 

($2,012* /x)  o  (5i,aC/x) 

= 

($2  0  c>i),  (a 2  0  resp1  (z.mapAA  d2  x)  at)* /x 

trans 

( $, ,  a* /x)[5o] 

= 

5[8o\,oi[5o\*  /x 

2-resp 

(T  ,x:A+)op 

= 

Top  ,x:A~ 

O-invol 

(0,M+/x)op 

EE 

0op,  NT /x 

1-invol 

(5,  a+/x)op 

= 

<5op,  of  /x 

2-invol 

Figure  7.4:  2DTT:  Contexts  (1) 
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Contravariant  term  variables: 


r  ctx  r°P  h  A  type  rhfl:A  rop  h  M  :  A[Oop] 
T  ,  x:A '  ctx  T  h  9,  M~ /x  :  A,  x  :  A" 


idp'11'4  [0,  M~/x\ 

= 

e 

9  :(T  ,  x:A~) 

= 

idp  [9\,x[6op\  /x 

idj.x.^ 

= 

:  $  =^(r,s:^-)  & 

= 

idp[5],  x\5op}'  /x 

idr,a;:A- 

= 

idp,  x'/x 

(0,M-/s)[(9o] 

= 

9[e0\,M[e°0py/x 

(0,M7®)[<yo] 

= 

9[60},M[5°0p}-/x 

refle,M-/a; 

= 

reflfl,  ref\M~/x 

(S2,as~/x)  o  (S1,aJ'/x) 

(S'2  o  Si),  [a 2  o  resp 

(S,  a  /x)[5q] 

= 

<5[<50] ,  ck[5^p]  /x 

(r  ,x:^')op 

— 

rop  ,  x:A+ 

(0,M-/x)op 

= 

9°p,M+/x 

a. 

o 

'-o' 

= 

<5op,  a+/x 

T  h  <5  :  6  ==>  a  O' 

rop  F  a  :  (mapAoP,A  (5° p)  IV)  =^[g]  M 
T  h  (5,a/x)  :  ( 0,M~/x )  =^a,x:j4-  ( d',N~/x ) 

1-0 

1- 7] 

2- 0 
2-7] 

1-id 
1 -sub  st 

1- resp 
reft 

(A.map^op  ^  <5gP  x)  aj )  /x  trans 

2- resp 

0-invol 

1- invol 

2- invol 


Figure  7.5:  2DTT:  Contexts  (2) 
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Dependent  functions: 

T°p  h  A  type 

r  ,  x:A~  F  B  type  T  ,  x:A~  \~  M  :  B  TPMr.UxiA.B  rop  F  M2  :  A 

TTlT^Alffype~  r  F  Xx.M  :Hx:A.B  r  hlj  M2:B[M2/x ] 

T  ,x:A- h  a:  (M  x)  (N  x)  T  \~  a  :  M  =>ax;A.  b  N  Top  F  0  :  IVi  =^a  Mi 
T  h  Xx.a:  M  =>nx-.A.B  N  T  F  a  0  :  map^  f3  (MMf)  =>B[Nl/x]  (NN{) 


{Xx.M)  N 
M  :  II  x:A.  B 
(A  x.  ai )  a2 
a  :  M  =$’TLx:A.  b  N 


M[N~/x\ 
Xx.M  x 
a.i  [refl,  a2  /x\ 
Xx.a  (ref Is) 


1-0 

1- rj 

2- 0 
2-r] 


{Ux:A.B)[90} 

maPA.n x-.A.B  $  M 


Ex\A[9°q].  B[9o,  x'/x]  0- sub st 

Xx.  mapA  x:A-  B  (d,  refl)  (M  (map^op  A  6op  x))  O-resp 


{Xx.M)[90} 
{Mi  M2)[9o] 
(A  x.M)[8) 
{M  N)[6] 


X  x.  M[{9o,x  /x)\ 
{M^o})  {M2[90}) 
X  x.  M [6,  refl] 

M[8]  AT[<5] 


1 -sub  st 
1 -sub  st 
1-resp 
1-resp 


refl  m 

(A  x.  a2)  o  (A  x.  ai ) 
{Xx:A.  a)[(5o] 
at  a2[5o] 


Xx.  ref\M  x 
X  x.a2  o  ai 
X  x:A[9'\.  a[5oi  refl /a] 
{at  [5o])  {a2[5o\) 


refl 

trans 

2-resp 

2-resp 


Figure  7.6:  2DTT:  Dependent  Function  Types 
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Dependent  pairs: 

T  hi  type 

T  ,  x:A+  h  B  type  T  h  Mt  :  A  T  h  Mg  :  /x]  rhMiSri.B  T  hM:Si:4.5 

T  h  Ex: A.  B  type  T  h  :Sr4.5  T  h  fst  M  :  A  F  h  snd  M  :  5[fst  M/x\ 

F  h  «i  :  fst  M  =^a  1st  N 

r  I"  «2  :  (map^  ai  (snd  M))  =^[fet  N/x]  snd  N  r  h  or.  M  =*-nx:A.B  N 
F  h  ( ai ,  a 2)  ■  M  =>£  x-.A.  B  N  T  P  fst  a  :  fst  M  fst  N 


r  Fa:  M 

=^S x:A.B  N 

T  h  snd  a  :  (map^  (fst  a) 

(snd  M))  =>B[fstN/x]  snd  N 

fst  (M,N) 

M 

1-P 

snd  (M,  N) 

N 

1-P 

M  :  S  x:A.  B 

= 

(fst  M,  snd  M ) 

1-7 ] 

fst  (■ ai,a2 ) 

= 

CHl 

2-/3 

snd  (ai ,  ct#) 

= 

012 

2-/3 

a  :  M  =>y,x-.a.b  N 

= 

(fst  a,  snd  a) 

2-p 

(Yx:A.B)[90] 

= 

S x:A[9o\.  B[9o,x+/x] 

O-subst 

maPA.s  x-.a.b  &  M 

= 

(mapA.A  $  (fst  M),  mapA  x.A+  B  (g,  reflmap  s  (fst  M))  (snd  M)) 

O-resp 

{{MUM2))[9  0] 

= 

{M1[90\,M2[90}) 

1 -sub  st 

(fst  M)[60\ 

= 

fst  ( M[90 ]) 

1 -sub  st 

(snd  M)[60] 

= 

snd  {M[90}) 

1 -sub  st 

( M,N)[S] 

= 

{M^Nid}) 

1-resp 

(fst  M)[6\ 

= 

fst  M  [<5] 

1-resp 

(snd  M)[5] 

= 

snd  M[5\ 

1-resp 

reflM 

(reflfst  Mi  f^flsnd  m) 

refl 

(a^a's)  0  (ai,a'i) 

= 

{a 2  0  ai ,  a' 2  0  resp1  (z.inapA  .^4  (refl ,  01 1 )  x)  ol1 ) 

trans 

{011 ,  [5o] 

= 

{a1[So],a2[So,  ref  1] ) 

2-resp 

(fst  a)[50] 

= 

fst  a[(5o] 

2-resp 

(snd  a)  [50] 

= 

snd  a[5o] 

2-resp 

Figure  7.7:  2DTT:  Dependent  Pairs 
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Sets  and  elements: 


r  h  5  :  set  r  ,  x:D(S)+  F  M  :  D(S')  T  \~  a  :  M  =>D(S)  N 

r  F  set  type  T  F  V(S)  type  F  h  x.M  :  5  =^set  S'  r  F  *  :  AF  =^V(S)  M  T  F  M  =  N  :  T>(S ) 


maP‘D(5)  M[0 1] 

= 

M[02] 

def  D(- 

a  :  S  =x'Set  S' 

= 

^•maP a:Set.D(a)  ('>«)  ® 

2-rj 

a  :  M  =>v{S)  N 

= 

is 

2-r) 

set[6»0] 

= 

set 

O-subst 

(®(S))N 

= 

maPA.set  5  M 

M 

O-resp 

maPA ,V(8)  5  M 

= 

IV [id,  M+/x]  if  S[6]  =  x.N 

reflS:set 

= 

x.x 

reft 

re^M :  D(S) 

= 

is 

reft 

{x.M})  o  (x.AFg) 

= 

x-MelMi/  x] 

trans 

is  O  is 

= 

is 

trans 

(■ x.M)[5q\ 

= 

x.mapA  s,  So  M[9 ,  x*/x]  if  A  ,  x:T>(S)+  F  M  :  D(S')  and  5q  :  9  = 

9'  2-resp 

*M  [5o] 

= 

M[50] 

2-resp 

Figure  7.8:  2DTT:  General  Rules  for  Sets  and  Elements 
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rop  b  S  :  set  r  F  S  :  set 

r  ,x:T>{Sy  h  5':  set  T  ,  x:V{S)+  F  S' :  set  T  F  S  :  set  T  F  M,  N  :  0(4) 

r  F  n®:S.S":set  r  F  Es:S.S":set  r  H,  1,2:  set  T  F  Ids  M  N:  set 


T  h  M  :Yx:V(S).V{S')  T  F  M  :  D(E  x:S .  S') 

T  F  in  M:V{Yx:S.S')  T  F  out  M  :  Ex:D(S).  V{S') 

r  F  M:Ux:T>(S).  V(S')  T  \~  M  :  D(Ux:S.  S') 

T  F  \nM  :V(Ux:S.S')  T  F  out  M  :  II x:D{S).  V{S') 

r±  F  M  :  V(0)  r±  h  M:  £>(0) 

r  h():  D(l)  r  F  true:  ©(2)  T  F  false:  ©(2)  r  F  abort  M:  C  T  F  abort  M  :  Mi  =^c  M2 

r1  hi:  ©(2) 

r±l-M:©(2)  r,®**  F  (7  type 

T  h  Mr.  C[ true*/®]  T  ,  z:2±  F  MUMS:C 

T  ,  F  (7  type  T  h  ai  :  Mi[true±/x\  ^C[true±/x]  M2[true±/x] 

r  F  Mg  :  Cffalse*/®]  r  F  a2  :  Miffalse*/®]  =^c[faise±/:r]  ^[false*/®] 

r  F  ifx±.c(M,M1,M2):  C[M±/x]  T  \-  \fx±  c(M,a1,a2)  :M1[M±/x\  =>c[M±/x\ 

r  h  a  :  M  =>£)(s)  77  r  F  P  :  Idj^s)  M  N 
T  h  idia:ld5  M  IV  r  F  ide  P  :  M  =^t>(S)  N 

Rules  for  sets: 


n®:S.S'[0] 

Xx:S.S'[6\ 

{O,l,2}[0] 

Ids  M  N[9\ 

{0, 1, 2}  [<5] 

(Ux:S.S')[S  :  6  9’} 

{Yx:S.S')[5  :  9  =^>  9'} 
Ids  M  N[5  :  9  =>■  0'] 


II x:S[9].  S'[9,  x~ /x]  1-subst 

Yx:S[9].S'[9,x+/x\ 

{0,1,2} 

Ma[0]  M[9\  N[9] 

x.x  1-resp 

^•in(maPn x:D(S).D(S')  5  (out M)) 

^•in(map Sx:V(S).D(S')  5  (outM)) 

x.idi  * 


Figure  7.9:  2DTT:  Some  Sets  (1) 
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Rules  for  elements: 

out  (in  M) 

= 

M 

Pv 

in  (out  M) 

= 

M 

M  :  27(1) 

= 

0 

M[(JV:  ©(O))*/®] 

= 

abort  IV 

if  (true,  Mi ,  Mg) 

= 

Mi 

if  (false,  Mi ,  M2) 

= 

m2 

M[(N:  V{2))±/x\ 

= 

if  (TV,  Mftrue*/^],  Mffalse11"/#]) 

ide  (idi  a) 

= 

a 

P:\ds  M  N 

= 

idi  (ide  P) 

(in  M)[9\ 

= 

in  Af[0] 

1- sub  st 

(out  M)[9\ 

= 

out  M[0] 

{(),  true,  false} [0] 

= 

{(),true,  false} 

\fX:2±.c(M,MuM2)[9rA} 

= 

'  fX:B±.cie,x±/x](M[O],M1[0],Mx[6]) 

(idi  a)[9\ 

= 

idi  crfreflfl] 

(id  eP)[8] 

= 

~k 

2-resp 

(in  M)[S] 

= 

1-resp 

(out  M)[5\ 

= 

{(),  true,  false} [5] 

= 

~k 

idi  ck[<5] 

= 

idi  - k 

\I(M,MuM2){8  :  9i  =►  02] 

= 

if  (M[02],M1[8\,M2[8}) 

Rules  for  transformation  elims  for  positives: 

ifx.c(true,  ai ,  a2)  =  a\  f3 

if.T.c(false,  ol!  ,  a2)  =  «2 

a[(reflM:  o)*/^]  =  abort  M  p 

a[( reflM:^)±/®]  =  if  (M,  a[refltrue/a;],  a[reflfa|se/x]) 

(abort  M) [5  :  9\  =>  62]  =  abort M [62}  2-resp 

\f(M,a>i  ,Oi2)[8  :  9\  =*>  02]  =  if(M[02],  aj  [<5],  ag[<5]) 


Figure  7.10:  2DTT:  Some  Sets  (2) 
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7.2.1  Two-dimensional  Judgements 

2DTT  has  three  main  judgements,  defining  contexts  T,  substitutions  6,  and  transformations  8. 
In  the  semantics  given  below,  these  are  interpreted  as  categories  (0-cells),  functors  (1-cells),  and 
natural  transformations  (2-cells),  respectively.  Each  of  these  three  levels  has  a  corresponding 
contextualized  version,  which  is  judged  well-formed  relative  to  a  context  T.  Contextualized  con¬ 
texts  and  substitutions  are  dependent  types  A  and  terms  M,  while  contextualized  transformations 
are  transformations  between  terms.  These  judgements  have  the  following  form: 

•  Contexts:  T  ctx 

•  Substitutions:  T  E  6  :  A  (where  T  ctx  and  A  ctx) 

•  Transformations:  T  E  8  :  6  =^a  9'  (where  T  ctx  and  A  ctx  and  T  E  6,  O’  :  A) 

•  Dependent  Types:  T  E  A  type  (where  T  ctx) 

•  Terms:  T  E  M  :  A  (where  T  ctx  and  TEA  type) 

•  Term  Transformations:  T  E  a  :  M  ==t-A  M'  (where  T  ctx  and  TEA  type  and  T  E 
M,  M’ :  A) 


7.2.2  Involution,  Identity,  and  Composition  Principles 


In  Figures  |7.1|  and  7.2[  we  present  the  generic  involution,  identity,  and  composition  principles 
that  define  the  basic  structure  of  the  theory.  These  principles  and  equations  provide  a  contract 
that  all  specific  contexts  and  types  must  satisfy. 


Involution  The  involution  rules  say  that  there  is  a  dualizing  operation  op  on  contexts,  sub¬ 
stitutions,  and  transformations.  The  equations  say  that  this  dualization  operation  is  involutive 
(self-inverse).  The  rule  for  9op  says  that  the  opposite  of  a  substitution  proves  the  opposite  of 
the  contexts.  To  avoid  specializing  the  context  in  the  conclusion  of  the  rules,  we  phrase  this  as 
an  “elimination”  rule,  removing  op  from  the  two  premise  contexts.  However,  because  op  is  an 
involution,  the  following  “introduction”  rule  is  derivable: 

T  E  0  :  A 

pop  |_  Qop  .  ^yop 

The  dual  of  a  transformation  not  only  dualizes  the  contexts  and  substitutions,  but  also  reverses 
the  direction  of  the  transformation. 


Identity  and  Composition  for  Substitutions  The  next  three  rules  define  identity  and  compo¬ 
sition  for  substitutions. 

To  make  weakening  admissible,  id  is  really  the  composition  of  the  identity  substitution  with 
projections  that  forget  any  number  of  variables  (by  our  convention  about  implicit  formation 
premises,  there  is  a  tacit  premise  that  A  is  still  well-formed).  We  write  T  3  Ato  mean  that 
A  is  obtained  from  T  by  dropping  some  number  of  variables.  For  convenience,  we  specify  weak¬ 
enings  here  for  all  the  contexts  we  will  consider  here,  though  we  could  associate  the  clauses  of 
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weakening  with  each  form  of  context: 


r  D  • 


done 


r 


r  d  r 

x:A ±  D  r 


7  skip 


T  D  T' 

r  ,  x:A±  D  r '  ,x:A± 


keep 


We  do  not  require  a  rule  for  op  because  op  can  always  be  expanded  away  using  equalities. 

Composition  of  substitutions  92  [02],  which  we  refer  to  as  1 -substitution,  is  standard  in  explicit 
substitution  calculi.  The  additional  composition  operation,  9[S\,  forces  substitutions  to  respect 
transformation:  substitution  instances  by  transformable  substitutions  are  transformable.  For  this 
reason,  we  refer  to  it  as  l-resp(ect).  The  first  three  equations  say  that  1-substitution  is  associative 
and  unital.  In  the  second  equation,  idr  can  in  fact  be  a  weakening,  in  which  case  6  is  tacitly 
weakened  in  the  right-hand  side.  The  third  equation  only  makes  sense  when  T  b  id  :  T,  which 
we  notate  by  id},.  The  next  two  rules  say  that  1-resp  associates  with  2-resp  (5 [5']),  which  is 
analogous  operation  for  transformations  (defined  below),  and  preserves  identities  refl( defined 
below).  The  next  three  rules  say  that  op  preserves  identities  (and  projections),  and  distributes 
over  compositions.  As  will  often  be  the  case,  the  second  rule  (for  1-cells)  is  necessary  to  type- 
check  the  third  (for  2-cells). 

Because  of  explicit  substitutions,  2DTT  exploits  a  slightly  interesting  notion  of  variable  bind¬ 
ing:  as  is  standard  in  explicit  substitution  calculi,  the  substitution  operation  92[0i]  is  a  binding 
operator,  with  the  range  T2  of  9\  bound  in  92 — and  similarly  9[S]  and  other  composition  princi¬ 
ples.  Here,  we  will  assume  we  are  working  in  an  informal  logical  framework  that  supports  this 
concept.  It  will  be  made  precise  using  de  Bruijn  indices  in  the  categorical  semantics. 


Identity  and  Composition  For  Transformations  The  next  three  rules  define  identity  and  com¬ 
position  for  transformations.  Transformations  are  always  reflexive  (ref I)  and  transitive  (S2  o  c) , ) . 
Additionally,  transformations  themselves  respect  transformation  (<5[<5o]X  which  we  call  2-resp. 
The  equations  say  that:  Transitivity  is  associative  and  unital  with  reflexivity.  2-resp  is  also  asso¬ 
ciative  and  unital.  However,  the  unit  of  2-resp  is  not  an  arbitrary  ref l0 — which  would  still  require 
adapting  a  transformation  5  :  9  = =>•  9'  to  9[9f\  = =>•  9[9f\ — but  only  T  b  reflidr  :  idr  =^r  idr 
(by  above,  0[idr]  equals  9).  As  above,  the  second  rule  holds  when  id  is  in  fact  a  projection,  but 
the  third  requires  that  it  really  be  the  identity.  The  interchange  law  relates  2-resp  and  transitivity: 
transitivity  followed  by  2-resp  is  the  same  as  2-resp  followed  by  transitivity.  It  has  a  variety  of 
useful  special  cases: 


0[<So<$'] 
(5  o  <T)[refle] 

(5  :  9,  =►  92)[5'  :  9[  =►  0'] 
(5  :  9,  =>-  92)[5'  :  9[  =►  0'] 


9[5\  o  9[5'} 

<5 [refle]  o8'  [ref le] 
ref \e2[8'\  o  A[refle/] 
A[refl0/]  o  refl0J  [5'j 


1- resp  presents  transitivities 

2- resp  presents  transitivities 
2-resp  interchange  1 
2-resp  interchange  2 


The  first  two  equations  say  that  resp  preserves  transitivities.  The  next  two  state  that  a  2-resp  is 
equivalent  to  holding  one  part  fixed  while  doing  one  transformation,  then  holding  the  other  fixed 
while  doing  the  other — in  either  order.  Returning  to  the  figure,  the  rule  delegate  delegates  2-resp 
at  reflexivity  to  1-resp.  The  final  three  rules  say  that  op  preserves  identities  and  compositions, 
reversing  the  order  of  composition  in  the  case  of  transitivity. 
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We  do  not  define  2-subst,  5[0],  directly,  as  this  composition  is  definable  as  <5[ref l0] .  Alterna¬ 
tively,  we  could  take  5[9]  as  primitive  and  define  ()[()']  using  the  interchange  law.  However,  it  is 
in  fact  no  harder  to  define  <5[<5'] ,  as  the  rules  for  the  binary  version  also  proceed  compositionally 
in  the  term,  just  like  ordinary  substitution  with  a  single  9  would.  This  fact  suggests  that  it  may  be 
possible  to  treat  2-resp  as  a  meta-operation,  which  may  be  a  helpful  implementation  technique. 


Dependent  Types  In  Figure  |7.2[  we  tell  the  analogous  story  for  dependent  types,  terms,  and 
term  transformations.  A  dependent  type  A  can  be  pre-composed  with  a  substitution,  written 
A[6\\  and  has  a  functorial  action  mapAyl  5  M,  which  is  the  analogue  of  the  subst  elimination 
rule  for  propositional  equality  described  above,  map  says  that  a  transformation  9i  =>  02  allows 
a  term  of  type  A[6 1]  to  be  coerced  to  a  term  of  type  A{82].  This  says  that  dependent  types  respect 
transformation.  We  refer  to  these  as  0-subst  and  0-resp;  there  are  no  O-subst/resp  for  contexts 
because  contexts  are  not  dependent. 

The  equations  say:  Substitution  into  types  (0-subst)  is  associative  and  unital.  map  is  functo¬ 
rial,  preserving  reflexivity  and  transitivity  (this  could  alternatively  be  phrased  as  an  interchange 
law,  but  the  present  formulation  is  simpler  because  we  have  not  defined  a  type  transformation 
judgement  A  =^tyPe  B).  The  next  two  rules  define  1-subst  and  1-resp  for  map,  which  reasso¬ 
ciate  the  1-subst/ 1-resp  with  the  0-resp.  The  next  rule  defines  map  for  a  composition,  again  by 
reassociating. 

Interactions  between  map  and  2-resp  are  derivable  from  the  above  equations  for  transitivity, 
using  the  interchange  law: 


mapc  (5  :  =*►  6B)[8'  :  6>j  9'2]  M  =  mapc  (<5[refl^J)  (mapc  refl0J  [5']  M) 

mapc  (5  :  91  =>•  92)[5'  :  9\  = =>•  9'2]  M  =  mapc  (refl g2[S])  (mapc  <5[refl0/ ]  M) 

The  interchange  rule,  along  with  the  following,  form  the  Godement  calculus  of  functors  and 
natural  transformation  composition  ( Godement, 1 195 8|): 

(reflex )  [5]  =  refl  e  [refl  £>/  [5]] 

This  rule  is  derivable  because  ref\0o0<  =  reflg  [refl^]  by  I -res p-p reserves- refl  and  associativity. 
There  is  also  a  right  unit  law  for  resp  and  reflid: 


refle[reflid]  =  refl0 


It  is  derivable  using  1-resp  preserves  refl.  and  unit  of  id. 


Terms  Like  all  contextual  judgements,  terms  are  closed  under  substitution  (M[9])  and  respect 
transformation  (M[<5]).  Because  terms  are  dependent  on  the  context,  the  latter  requires  “adjust¬ 
ing”  M[9 1]  by  5  so  that  it  lives  in  the  same  type  as  M[92\.  The  equality  rules  are  analogous  to 
those  for  substitutions:  1-subst  is  associative  and  unital,  and  1-resp  is  associative  and  preserves 
reflexivities. 

An  associativity  rule  for  1-subst  followed  by  1-resp  in  a  term  is  derivable,  using  1-resp- 
preserves-refl,  congruence,  and  delegate  and  associativity  for  2-resp  (see  below): 


M[0][<5]  =  M[reflfl[5]]  1 -resp  for  M [9] 
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Using  interchange,  we  can  derive  that  M  preserves  transitivities  from  the  above  interaction 
with  2-resp: 

ref  I  m  °  =  refljw^]  °  (resp1  (x.map  8  x )  (reflM^])) 

Term  Transformations  The  rules  for  term  transformations  are  entirely  analogous  to  the  rules 
for  transformations,  specifying  reflexivity,  transitivity,  and  2-resp.  The  equations  say  that  tran¬ 
sitivity  is  associative  and  unital,  that  2-resp  is  associative  and  unital,  and  that  the  order  of  trans 
and  2-resp  can  be  interchanged.  The  interchange  rule  uses  the  derived  form  resp1  ,  which  is 
explained  below. 

General  equality  rules  Figure |7]3]collects  a  variety  of  general  equality  rules:  Each  judgement, 
including  equality,  respects  equality  of  its  indices,  and  is  a  congruence. 

7.2.3  Contexts 

With  the  basic  setup  in  hand,  we  are  ready  to  define  some  concrete  context  formers.  The  general 
methodology  for  defining  a  context  is  to  specify 

1 .  A  formation  rule  for  T 

2.  A  substitution  rule  6  :  T,  and  a  hypothesis  rule  for  one  of  the  other  judgements  (e.g. 
the  term  rule  for  x  for  the  context  former  T  ,  x:A+).  These  function  as  the  introduction 
and  elimination  rules  for  the  context,  though  we  require  contexts  to  be  products  of  some 
sort,  eliminated  by  first  projections  (which  are  implicit  in  id)  and  variables  (representing 
projections). 

3.  A  transformation  rule  for  8:6  ==^r  6' 

4.  Equations  defining 


i-Pn 

drj  for 

2-Pv 

/ 3r)  for 

O-involution 

pop 

1  -involution 

0°p 

2-involution 

5° p 

identity 

idp 

1-subst 

m 

1-resp 

m 

reflexivity 

refl  <9 

transitivity 

8  o  5' 

2-resp 

m 

In  general,  refl  and  8  o  8'  are  defined  in  a  type-directed  manner,  by  giving  one  rule  that  covers 
arbitrary  arguments.  On  the  other  hand,  the  subst/resp  principles  are  defined  in  a  syntax-directed 
manner,  giving  one  rule  for  each  syntactic  construct. 
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It  may  seem  redundant  that  we  ask  that  each  context  to  give  equations  for  both  ide  and  6  [5] ,  as 
\do  =  idei  [refljd]  =  (9 1  ref  I  id — so  perhaps  one  operation  could  be  derived  from  the  other.  However, 
because  these  definitions  are  mutually  referentially,  and  we  have  not  yet  sorted  out  whether  there 
is  some  induction  order  that  allows  one  to  be  defined  in  terms  of  the  other,  we  give  the  rules  for 
both  operations  to  be  safe. 

In  Figure [74] and  Figure [73]  we  carry  out  this  methodology  for  the  basic  contexts: 

Empty  context  The  empty  context  has  a  trivial  substitution  into  it,  and  a  trivial  transformation 
from  this  substitution  to  itself.  Since  the  substitutions  and  transformations  are  singletons,  the 
equations  are  all  trivial. 

Covariant  context  extensions  Next,  we  present  the  rules  for  covariant  context  extension:  if  A 
is  a  type  well-formed  in  F,  then  F  can  be  extended  with  a  variable  of  type  A.  A  covariant  variable 
can  be  used  as  a  term;  the  typing  rule  checks  that  the  variable  is  in  the  context: 

_ 

x:A+G(r,  A+)  x:  A+  e  (T  ,  y.B^) 

As  with  weakening,  we  do  not  include  a  rule  for  op,  which  can  be  expanded  away.  The  substitu¬ 
tion  into  an  extended  context  A  ,  x\A+  is  a  pair  of  a  substitution  6  into  A  and  a  term  of  type  A, 
adjusted  by  9  (this  is  analogous  to  the  usual  introduction  rule  for  a  E-type).  A  transformation  be¬ 
tween  such  substitutions  is  a  pair  of  transformations,  one  between  the  substitutions,  and  the  other 
between  the  terms  (adjusted  by  the  first  component).  As  these  substitutions  and  transformations 
are  pairs,  the  first  set  of  rules  gives  the  expected  f3r]  rules,  for  the  projections  given  by  idand  vari¬ 
ables.  The  next  rules  define  the  identity,  composition,  and  involution  operations  componentwise. 
The  involution  rules  turn  covariant  context  extension  into  contravariant  context  extension,  which 
is  defined  below. 

In  the  definition  of  refl,  trans,  and  2-resp,  we  cheat  a  little  bit  by  assuming  that  the  substi¬ 
tutions/transformations  are  in  the  form  of  the  intro  rules,  when  in  fact  these  operations  must  be 
defined  for  arbitrary  elements.  This  cheat  is  justified  by  the  77-rules,  and  make  the  rules  somewhat 
easier  to  read.  Similarly,  in  the  /3-rules,  we  cheat  by  assuming  that  the  substitution  is  in  introduc¬ 
tory  form  for  exactly  the  context  in  question;  this  can  always  be  achieved  by  reassociating.  We 
also  cheat  a  bit  by  not  defining  separate  syntactic  constructs  for  projections  from  context  trans¬ 
formations,  using  reflid  and  refl^  instead — e.g.  we  should  define  reflv(x)  :  x  =^a  x,  distinct 
from  reflx.  These  would  be  necessary  for  refl  to  be  entirely  definable  in  terms  of  other  syntactic 
constructs. 

The  familiar  resp  congruence  rule  derives  respect  for  the  last  variable  in  the  context: 

T\~a:M^AN  T  h  B  type  T  ,  x:A+  h  F  :  B 
T  h  resp1  F  a  :  F[M/x\  => B  F[N/x\ 

by  resp1  F  a  =  F[idid,  a+ /x\.  This  is  well-typed  because  map  id  cancels. 

We  will  also  make  use  of  the  corresponding  rule  for  map,  a  derived  form  for  transforming  the 
last  variable  in  the  context: 

T,  x:A+  h  B  type  F  F  a:  :  Mj  =>a  M2  ThM:  B[Mt*/x] 


r  F  map^:j4+  B  a  M  :  B[M2+/x\ 
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This  is  defined  by  mapl:A+  B  a  M  =  mapr  A+  B  id,  a*/x  M. 

Contravariant  context  extensions  Next,  we  present  the  rules  for  contravariant  context  exten¬ 
sion:  if  A  is  a  type  well-formed  in  Top,  then  T  can  be  extended  with  a  variable  of  type  A.  For 
the  most  part,  these  are  renamings  of  the  rules  for  covariant  context  extension,  except  for  the 
following:  First,  there  is  no  rule  for  using  a  contravariant  variable.  This  is  because  we  reduce 
contravariant  terms  to  covariant  terms  using  op,  and  using  the  rules  for  F  ,  x:A~op,  a  contravariant 
variable  becomes  a  covariant  variable.  Second,  the  transformation  rule  reverses  the  order  of  M 
and  N  in  the  premise.  Third,  various  op,s  are  inserted  on  substitutions  and  transformations  to 
make  the  types  work  out. 

A  contravariant  last-variable  map  rule  is  also  definable: 

T,  x:A~  F  B  type  ropPa:M2^AM1  TPM:  B[Mf  /x] 
r  F  map l-A-.s  OL  M  :  B[M2'/x\ 

by  maP l.A-.B  ot  M  =  mapr  x:A-  B  (id,  a/x)  M. 

7.2.4  Types 

With  contexts  in  hand,  we  can  move  on  to  types  and  terms.  In  general,  a  type  is  specified  by: 

1 .  A  formation  rule  for  A 

2.  Introduction  and  elimination  term  rules,  defining  M  :  A 

3.  Introduction  and  elimination  transformation  rules,  defining  a  :  M  ==>A  M' 

4.  Equations  defining 


l-f3rj 

1 3i ]  for  M 

2-Pv 

3ij  for  a 

0- substitution 

m 

O-resp 

map A  S  M 

1  -substitution 

M[9 } 

1-resp 

M[5] 

reflexivity 

refljtf 

transitivity 

a  o  a' 

2-resp 

a  [5] 

Dependent  functions  In  Figure  [7~6j  we  give  the  rules  for  dependent  functions.  The  formation 
rule  is  standard,  except  that  the  domain  is  well-formed  contravariantly  in  T,  and  thus  assumed  as 
a  contravariant  assumption.  The  intro  and  elim  rules  then  insert  the  appropriate  op’s.  The  trans¬ 
formation  introduction  rule  says  that  a  transformation  at  II  can  be  introduced  by  giving  a  family 
of  transformations  that  work  for  each  element — the  extensionality  rule.  A  transformation  is  elim¬ 
inated  by  applying  to  transformable  arguments.  The  symmetric  variants  of  these  transformation 
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rules,  and  the  equations  for  them  described  below,  have  been  considered  in  prior  categorically- 
motivated  accounts  of  functionally  extensional  propositional  equality  (Garner,  2009). 

The  T //-rules  are  the  expected  rules  for  functions,  both  at  the  term  and  transformation  levels. 
We  write  M[N/x]  to  abbreviate  M[ id,  N/x].  Substitution  into  a  II-type  proceeds  composition- 
ally,  though  we  always  op  the  substitution  in  contravariant  positions,  map nx-.A.B  1S  given  by 
pre-  and  post-composition.  Note  that  the  definition  of  transformation  at  A,  x  :  A '  is  just  right  so 
that  5,  ref  I  works  as  the  post-composition.  1-subst  and  1-resp  are  both  defined  compositionally, 
as  is  2-resp.  The  rule  for  refl  says  that  the  identity  at  all  elements  is  the  identity.  In  the  definition 
of  transitivity,  we  again  cheat  by  assuming  the  transformations  are  in  introductory  form,  which 
makes  sense  because  of  77,  but  we  could  equivalently  use  the  elimination  rule  instead. 


Dependent  pairs  The  rules  for  S-types  are  mostly  unsurprising,  essentially  a  contextualized 
version  of  the  rules  for  covariant  context  extension.  The  formation  rule  is  analogous  to  II,  but 
the  first  component  is  well-formed  covariantly,  and  the  typing  of  the  second  component  uses 
covariant  context  extension.  The  term  rules  are  standard;  the  transformation  rules  say  that  a 
transformation  between  a  pair  is  a  pair  of  transformations,  map  is  defined  componentwise;  in  this 
case,  the  definition  of  transformation  at  A,  x  :  A+  is  just  right  so  that  <5,  refl  works  as  the  second 
component.  The  f3p- rules  are  standard,  and  the  substitution  rules  are  all  defined  compositionally. 
Identity  and  composition  are  defined  componentwise. 


Sets  and  elements  As  our  first  example  of  a  base  type  with  non-trivial  transformations,  we 
consider  a  universe  set  that  contains  discrete  types.  That  is,  each  term  S :  set  will  represent  a 
type  D(S)  whose  elements  have  no  non-identity  transformations  between  them.  However,  set 
itself  is  not  a  discrete  type:  we  take  a  transformation  from  S  to  S'  to  be  a  function  from  D(S)  to 
D(S').  Consequently,  any  type  s  :  set  h  C  type  will  admit  a  lifting  of  a  function  from  D(S)  to 
D(S')  to  a  transformation  from  C'[<S'/s]  to  C[S"/s].  This  is  the  common  functor  interface  used  in 
many  programming  languages.  This  universe  of  sets  is  extensional ,  in  that  transformation  at  sets 
satisfies  equality  reflection  and  definitional  uniqueness  of  identity  proofs — one  can  work  with 
these  sets  as  one  would  work  in  extensional  type  theory. 

There  are  different  ways  of  populating  the  types  D(S)  determined  by  a  universe:  First,  one 
may  define  D(S)  by  recursion  on  S,  computing  an  existing  type  that  represents  its  elements.  Sec¬ 
ond,  one  may  define  elements  of  the  universe  by  giving  a  signature  of  constants  and  equations — 


using  the  type  theory  in  the  style  of  Martin-Lof’s  logical  framework  (Nordstrom  et  al.,  1990). 


Third,  one  may  give  inference  rules  directly  defining  the  members  of  these  types.  In  what  fol¬ 
lows,  we  opt  for  the  third  option.  There  are  two  reasons  for  this  choice.  The  first,  which  is 
somewhat  technical,  is  discussed  below — the  set-  and  type-versions  of  II  and  £  are  semantically 
isomorphic,  but  not  equal — so  defining  D(S)  by  recursion  would  ignore  this  isomorphism.  The 
second  reason  is  that  it  is  more  convenient  to  specify  a  set,  than  a  type,  because  the  transforma¬ 
tions  between  elements  are  always  only  reflexivity.  A  set  is  specified  by: 

1.  A  formation  rule  for  S  :  set,  with  equations  for 


1  -substitution  for  S  S  [0] 
1-resp  for  S  S  [5] 
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2.  Terms  defining  M  :  'D(S),  as  well  as  equations  defining 

/3r)  (3r)- rules  for  D(S) 

1 -substitution  M[6 } 

1-resp  M[5] 

For  simplicity,  we  introduce  sets  by  inference  rules,  though  the  signature  approach  would  work 
as  well. 

The  equations  for  1-resp  for  each  S  define  the  functorial  action  of  the  set  former — which  is 
used  by  map.  The  equations  for  1-resp  for  each  term  M  are  often  computationally  trivial,  and 
involve  only  the  verification  of  equations — any  transformation  at  D(S)  is  reflexivity.  However, 
we  include  these  equations  because  the  act  of  seeing  that  the  trivial  equation  is  well-typed  is 
where  one  verifies  that  the  appropriate  equations  hold. 

Sets  and  Elements.  In  Figure  |T8|  we  present  the  generic  rules  that  apply  to  all  sets:  set  is  a 
type,  as  is  D(S)  if  S  has  type  set.  A  transformation  at  set  is  a  function  from  the  elements  of  one 
to  the  elements  of  the  other.  The  only  transformation  between  elements  of  sets  is  reflexivity,  and 
such  transformations  are  eliminated  by  equality  reflection. 

The  first  equation  says  that  1-resp  action  of  elements  of  sets  is  an  equality,  which  is  true 
because  D(S)  is  a  discrete  type:  if  M  :  D(S)  then  M  takes  transformable  arguments  to  equal 
results.  The  next  two  equations  ^-expand  a  transformation  at  set  into  a  map,  and  a  transformation 
at  'D(S)  into  reflexivity.  The  rules  for  0-subst  are  compositional. 

map  at  set  is  a  no-op,  because  set  is  a  constant  functor,  map  at  D(S)  applies  the  function 
(open  term)  given  by  1-resp  of  S,  S  [()] .  We  will  give  rules  for  each  set-former  defining  S[5}. 
There  are  a  couple  of  different  ways  in  which  S  [5]  can  be  equal  to  a  transformation  x.N.  The  first 
is  by  77-expansion  using  2-7],  but  this  expansion  itself  uses  map,  so  the  0-resp  equation  is  trivial. 
The  second,  and  more  useful,  is  by  applying  composition  ( 1-resp )  and  computation  rules  (2-/3) 
until  a  transformation  x.N  that  does  not  simply  re-introduce  the  map  is  computed.  In  the  present 
calculus,  a  transformation  at  set  can  always  be  put  into  this  form.  If,  however,  we  introduced 
transformation  variables  (see  below),  then  S' [5]  might  compute  to  a  variable  transformation,  in 
which  case  mapA  5  M  would  not  compute  any  further.  In  this  case,  it  would  be  useful  to 
add  a  separate  elimination  construct  for  applying  a  transformation  at  set  to  a  term,  in  order  to 
preserve  the  property  that  map  can  be  defined  in  terms  of  other  operations  in  the  calculus. 

Reflexivity  and  transitivity  are  defined  in  the  expected  way  for  sets,  and  trivially  for  elements. 
The  2-resp  rule  for  set  says  that  a  function  x.M  respects  a  transformation  §  by  running  M  at  the 
source  and  then  applying  5.  The  2-resp  rule  for  D(-)  is  analogous  to  delegate. 

Basic  Sets:  Rules.  In  Figures  [7l9| and |7T0|  we  present  the  rules  for  some  basic  sets:  II,  E, 
0  (the  empty  set),  1  (the  unit  set),  2  (booleans),  and  Id  (identity  between  two  elements  of  a  set). 
Though  we  leave  a  general  transformation  type  internalizing  =>•  to  future  work,  it  is  possible  to 
define  an  identity  type  for  symmetric  types,  which  every  discrete  type  D(S)  trivially  is. 

The  rules  for  II  and  E  express  that  they  are  isomorphic  to  Ff/E  types  of  discrete  elements. 
We  cheat  a  little  here  and  break  orthogonality  of  the  connectives,  defining  II  and  E  by  these 
isomorphisms  (in  fact,  giving  rules  for  D(S)  at  all  breaks  orthogonality,  so  perhaps  we  should 
have  a  separate  judgement  for  the  elements  of  a  set) — otherwise  we  would  have  to  spell  out 
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functions,  application,  pairing  and  projections  again.  In  fact,  the  domain  of  a  II  need  not  be 
restricted  to  a  set:  II  x: A.  S  is  a  set  even  if  A  is  higher-dimensional.  However,  in  our  present 
theory  types  are  both  higher-dimensional  than  sets,  and  of  higher  size  than  sets:  set  itself  is  a  type. 
So  such  a  quantifier  would  not  only  be  higher-dimensional,  but  impredicative.  If  additionally  we 
had  a  universe  typ  of  small  types,  then  it  would  be  appropriate  to  allow  Id’s  to  range  over  A  :  typ. 

0, 1,  2  are  introduced  by  the  usual  rules.  The  elimination  rules  for  0  and  2  have  one  sub¬ 
tlety:  they  allow  elimination  of  both  co-  and  contravariantly  well-formed  terms — we  abbreviate 
a  choice  between  T  and  Top  by  T+ .  The  reason  for  this  is  that  the  natural  deduction  rules  for  pos¬ 
itive  types  build  in  a  cut,  and  the  appropriate  notion  of  cut  includes  both  co-  and  contra- variant 
cut  formulas  (cf.  the  fact  that  substitutions  allow  for  both  co-  and  contra  variant  variables).  The 
negative  types  that  we  have  considered  thus  far  do  not  exhibit  this  phenomenon  because  their 
elimination  rules  do  not  build  in  a  cut.  Positives  can  also  be  eliminated  towards  transformation 
judgements,  so  we  add  rules  for  eliminating  0(0)  and  0(2)  towards  M  =>a  N.  We  could  also 
add  elimination  rules  towards  other  judgements  (types,  substitutions,  transformations  between 
substitutions),  but  what  we  have  were  is  enough  to  illustrate  the  idea. 

The  rules  for  the  identity  type  express  an  isomorphism  with  the  corresponding  term  transfor¬ 
mations. 

Basic  Sets:  Equalities.  1-subst  into  each  set  is  as  expected.  1-resp  is  the  identity  for  constant 
sets,  defined  in  terms  of  II  and  £  types  for  II  and  £,  and  computationally  trivial  for  identity 
(the  verification  that  the  right-hand-side  is  well-typed  uses  symmetry  of  equality).  Next,  in  Fig¬ 
ure  [7T0j  the  (3rj  rules  express  the  isomorphisms  for  II  and  £  and  Id,  and  the  usual  equations 


for  0,1,2.  For  symmetry,  we  include  the  coproduct  rules  for  0  and  2,  but  it  they  can  also  be 
proved  using  the  transformation  elimination  rules  and  then  reflected.  1-subst  (and  2-resp  for 
ide  )  are  defined  compositionally.  The  1-resp  rules  are  computationally  trivial,  but  the  fact  that 
they  are  well-typed  is  interesting:  e.g.  the  rule  for  in  M  requires  showing  that  if  two  terms  are 
transformable  at  £  x:  0(5').  0(5")  then  they  are  equal — which  is  true  because  the  transformation 
provides  equalities  of  each  component.  The  rule  for  if  uses  the  transformation  elimination  form 
for  booleans.  The  transformation  elims  satisfy  similar  / 3r ]  and  2-resp  laws. 


7.2.5  Weakening 

Weakening  is  admissible  for  all  judgements  of  the  form  V  h  J: 

LEMMA  7.2.1.  Weakening.  IfT\~J  and  r'7T  then  T7  h  J. 

Additionally,  because  idr  includes  weakening,  the  equations  allow  pruning  irrelevant  com¬ 
ponents  from  a  substitution.  For  example: 

t[9,  M±/x\  =  t[9]  if  A  h  t :  J  and  T  h  6  :  A 
t[5,a±/x]  =  t{5\  similarly 

mapA  3, .  A±  c  (5,  oA  jx)  M  =  mapA  c  5  M  if  A  h  C  type 

For  the  first,  by  unit  t  =  t[id]r;  so  by  associativity  t[9,  M± /x]  =  t[\dr[9,  M± /x}\,  which  (3- 
reduces  to  t[9].  The  remaining  equations  are  similar,  because  reflid  acts  as  a  projection  on  trans¬ 
formations. 
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As  an  extremal  case,  if  a  term  is  closed,  then  the  substitution/map  is  trivial.  For  example: 

map  ac5M  =  M  if  A#C  def.  map  for  constant 

C  =  (7[id.],  so  reassociating  using  def.  map  for  A[6\  turns  the  transformation  into  id.  [A],  which 
is  equal  to  the  identity. 

These  observations  allow  us  to  derive  the  usual  lookup  rules  for  variables: 

x\9\  =  9(x)  1 -comp  for  variables 
x[S]  =  S(x)  2-comp  for  variables 

where  we  write  9{x )  for  the  function  that  extracts  the  M/x  component  of  9,  and  similarly  for 
5.  This  is  derivable  by  first  projecting  away  the  irrelevant  components  and  then  using  the  j3 
rule — x[9,  M+ /x]  and  similarly  for  5. 


7.3  Semantics 

In  this  section,  we  give  a  semantics  in  Cat ,  the  2-category  of  categories,  functors,  and  natural 
transformations. 

The  intuition  for  this  interpretation  is  that  a  context,  or  a  closed  type,  is  interpreted  as  a  cate¬ 
gory,  whose  objects  are  the  members  of  the  type,  and  whose  morphisms  are  the  transformations 
between  members.  Thus,  a  substitution  (an  “open  object”)  is  interpreted  as  a  functor — a  family 
of  objects  that  preserves  transformations.  A  transformation  (an  “open  morphism”)  is  interpreted 
as  a  natural  transformation — a  family  of  morphisms  that  respects  substitution.  More  formally, 
the  context,  substitution,  and  transformation  judgements  are  interpreted  as  follows: 

•  [T]  is  a  category 

•  [T  b  6  :  A]  is  a  functor  [0]  :  [T]  — ■»  [A] 

•  [T  b  §  :  9i  =^A  92 ]  is  a  natural  transformation  [5]  :  [$i]  =>  [02]  :  [T]  — ■>  [A] 

Next,  we  consider  the  semantics  of  types,  terms,  and  term  transformations. 

Semantic  Types  The  judgement  T  b  A  type  represents  an  open  type.  Correspondingly,  it 
should  be  interpreted  as  a  functor  that  assigns  a  closed  type  to  each  object  of  T,  preserving 
transformations.  Since  closed  types  are  represented  by  categories,  this  is  modeled  by  a  functor 
into  Cat: 

[T  b  A  type]  is  a  functor  [A]  :  [T]  — ■>  Cat 

To  interpret  the  type  set,  we  require  a  category  of  sets  in  Cat.  Thus,  we  take  Cat  to  be  the 
category  of  large  categories,  so  that  it  includes  Sets  as  an  object.  Because  Cat  is  larger  than  [T], 
the  space  of  functors  T  — >  Cat  relies  on  an  implicit  inclusion  of  large  categories  into  “larger” 
categories. 

As  a  notational  convention,  we  will  overload  notation  so  that  the  semantics  looks  just  like 
the  syntax:  First,  we  use  the  same  letter  for  a  piece  of  syntax  and  for  the  semantic  concept  it  is 
interpreted  as;  e.g.  we  will  write  T  for  a  category,  9  for  a  functor,  A  for  a  functor  into  Cat,  etc. 
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Second,  we  use  the  same  symbols  as  we  use  in  the  syntax  for  the  2-category  structure  on  Cat: 
we  write  the  identity  functor  as  id,  functor  composition  as  0(9'],  vertical  composition  of  natural 
transformations  as  5  o  S',  horizontal  composition  as  <5  [5'],  and  the  identity  natural  transformation 
as  reflfl,  and  the  action  of  op  as  rop,  etc.  Additionally,  we  abbreviate  Y  — >  Cat  by  Ty  Y. 


Semantic  Terms  Above,  we  defined  the  category  of  elements  of  a  functor  A  :  Y  — >  Sets, 
fr  A,  which  represents  the  context  extension  Y  ,  x:T)(A)+.  The  general  form  of  the  Grothendieck 
construction  works  for  a  functor  A  :  Y  — >  Cat: 


•  an  object  of  fc  A  is  a  pair  (o,  a)  where  o  G  Ob  C,  and  a  G  Ob  A(o). 

•  a  morphism  from  (o,  a)  to  (o',  a')  is  a  pair  (c,  /)  where  c  :  o  — o'  and  /  :  A(c)o 
o' 

•  ida) 

•  (c,  /)  °  (d,  f)  =  (coC'Jo  A(c)f') 


This  differs  from  the  definition  given  above  by  requiring  a  morphism  for  the  second  component, 
rather  than  an  equality. 

The  Grothendieck  construction  constructs  not  only  a  category,  but  a  (covariant)  fibration^ 
Suppose  p  :  E  — >  T.  The  fiber  of  E  over  o  G  Ob  T  is  the  subcategory  Ea  consisting  of  those 
objects  e  of  E  such  that  p(e)  =  o,  and  those  morphisms  /  such  p(/)  =  idD.  Then,  modulo 
some  technical  details  that  we  do  not  need  to  discuss  here,  p  is  a  fibration  iff  pullback  along  a 
morphism  c  :  0\  — >  o 2  in  T  determines  a  functor  between  fibers  E0]  and  EQ2.  As  this  definition 
suggests,  there  is  an  equivalence  of  categories  between  Fib(Y )  (the  fibrations  over  T)  and  Cat1 
(the  functor  category).  On  objects,  the  right-to-left  direction  is  the  Grothendieck  construction, 
and  the  left-to-right  direction  extracts  a  functor  from  a  fibration — this  extraction  is  not  possible 
for  an  arbitrary  functor  p  :  E  — >  T,  but  the  fibration  condition  ensures  that  it  is.  We  will 
refer  to  the  fibration  functor  p  :  fpA  — >  T  constructed  by  the  Grothendieck  construction  as  a 
weakening  map ;  concretely,  it  is  defined  by  first  project  on  objects  and  morphisms. 

The  set  of  terms  T  b  M  :  A  is  isomorphic  to  the  one-element  substitutions  T  b  id,  M+/x  : 
Y  ,  x:A+,  and  T  ,  x:A+  is  interpreted  as  fr  A.  Thus,  we  can  define  a  the  interpretation  of  a  term 
T  b  M :  A  to  be  a  functor  [M]  :  T  — ■>  JT|  [A]  such  that  the  T  part  of  the  functor  is  the 
identity — which  we  can  formalize  by  saying  that  [M]  is  a  section  of  p:  po  [M]  =  id.  However, 
following  Hofmann  and  Streicher  ( 1998 ),  it  is  more  convenient  to  use  an  equivalent  explicit 
definition: 


Definition  7.3.1.  For  a  category  T  and  a  functor  A  :  Y  — >  Cat,  the  set  of  terms  over  T  of 
type  A,  written  Tm  T  A,  consists  of  pairs  (M0,  Ma )  such  that 

•  For  all  7  6  Ob  T,  M0( 7)  G  Ob  (A(y)) 

•  For  all  c  :  71  — >r  72,  Mjc)  :  A(c)(M0( 71))  — >a(72)  M0( 72).  Moreover,  Ma( id)  =  id 
and  Ma(c2  o  ci)  =  Ma(c2)  o  A(c)(Ma(c1)). 

A  Tm  T  A  is  a  “dependently  typed  functor.”  When  A  is  a  constant  functor,  the  definition  reduces 
to  that  of  a  functor  M  :  Y  — >  A.  However,  in  general,  the  type  of  the  object  that  Ma  returns 


'This  is  usually  called  an  opfibration,  as  the  word  fibration  is  used  for  contravariant  fibrations,  which  we  will 
discuss  below. 
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depends  on  its  argument,  and  the  action  on  morphisms  relates  Ma( 72)  to  (M0(ji))  “adjusted”  by 
applying  the  functor  A(c).  As  with  functors,  we  elide  the  projections  from  M,  writing  M( 7)  and 

M(c). 

Semantic  Term  Transformations  Next,  we  define  the  semantic  counterpart  of 
r  h  a  :  M  ==?a  N.  We  characterized  terms  M  as  one-element  substitutions,  or  sections  of 
weakening.  Similarly,  we  can  define  a  transformation  between  M  and  iV  to  be  a  transformation 
(id,  M )  =>•  (id,  N ) :  Y  — >  fr  A  that  projects  to  the  identity  transformation  on  id.  However,  it  is 
more  convenient  to  work  with  the  following  equivalent  definition: 

Definition  7.3.2.  Given  a  category  T,  AiTyT,  and  M,  AiTmT  A,  a  dependent  natural 
transformation  a  :  M  ==>-  N  consists  of  a  family  of  maps  a7  such  that 

•  for  7  G  Ob  T,  ct7  :  M( 7)  — + A w  N( 7) 

•  for  c  :  71  — >r  72,  7V(c)  o  A(c)(a7l)  =  a72  o  M(c) 

Structure  of  the  Interpretation  Overall,  our  goal  is  to  show  that  every  well-formed  context 
denotes  a  category,  every  substitution  a  functor,  and  so  on.  This  can  be  factored  into  two  parts: 

The  interesting  part  of  the  interpretation  is  showing  that  each  inference  rule  is  true,  in  the 
following  sense:  given  the  semantic  domains  corresponding  to  the  premises,  we  can  construct 
the  semantic  domain  corresponding  to  the  conclusion.  For  example,  given  a  rule  such  as 

A  P  M:A  T  P9:A 
T  h  M[9\:A[9\ 

its  semantic  counterpart  is  a  function 

-[-]  :  (M  :  Tm  A  A)  -f  (9  :  Y  — Aj^TmT  A[9\ 

Once  we  have  defined  the  operations,  we  can  validate  each  equation  on  the  semantic  counterparts 
of  the  terms  in  question.  Taken  together,  these  constructions  and  proofs  represent  the  inductive 
steps  of  the  interpretation. 

The  second  part  of  the  interpretation  is  an  induction  on  syntax  and  derivations  that  interprets 
each  term  as  the  corresponding  semantic  construction,  and  definitional  equality  as  equations  in 
the  semantics.  This  step  runs  into  some  technical  considerations,  which  we  discuss  below. 

7.3.1  Semantic  Judgemental  Framework 

First,  we  validate  the  rules  and  equations  in  Figures  [7711  and  [7T2j 

Involution  The  involutions  are  interpreted  by  the  2-functor  — op  :  Cat  — >  Catco  which  sends 
each  category  to  its  opposite  category.  ropis  the  action  on  objects;  7opis  the  action  on  1-cells;  and 
5opis  the  action  on  2-cells.  More  concretely,  for  any  category  F.  ropis  the  category  whose  objects 
are  the  objects  of  T,  and  whose  morphisms  01  — >  02  are  morphisms  o2  — >  0\  in  T.  9op  simply 
“retypes”  a  functor  C  — >  D  to  a  functor  Cop  — >  73 op,  without  changing  the  data  involved. 
ciop  similarly  retypes  a  natural  transformation.  op  is  self-dual  up  to  equality,  which  justifies  the 
equations. 
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Identity  and  Composition  for  9  The  identity  and  composition  principles  for  substitutions  and 
transformations  are  interpreted  as  the  identity,  horizontal  composition,  and  vertical  composition 
operations  of  the  2-category  Cat.  The  equations  are  part  of  the  definition  of  a  2-category.  Com¬ 
position  of  substitutions  is  interpreted  as  functor  composition  9[6'].  0\()]  is  interpreted  as  the 
horizontal  composition  reflgf^] — ’’whiskering”  a  natural  transformation  with  a  functor.  Because 
id  builds  in  weakening,  it  cannot  be  interpreted  directly  as  the  identity  functor.  Instead,  the  in¬ 
terpretation  depends  on  the  weakening,  and  uses  the  functors  defined  with  each  form  of  context 
below:  skip  is  interpreted  as  the  functor  •  :  T  — >  1.  Given  6  :  T  — >  T7,  skip  is  interpreted  as  the 
functor  9  o  p±  :  T.A±  — >  T.  keep  is  interpreted  as  the  functor  ( 6  o  p*,  v*)  :  T.  — »  T.A. 

When  T  h  id  :  T,  the  interpretation  is  an  //-expanded  identity  functor. 

To  validate  the  1-subst  assoc/unit  equations,  we  observe  that  functor  composition  is  asso¬ 
ciative  and  unital,  which  justifies  the  first  and  third  equations.  The  second  equation  requires 
weakening  coherence  (described  below),  as  the  left-hand  side  is  interpreted  with  the  weaken¬ 
ing  all  the  way  at  the  outside,  whereas  the  right-hand  side  is  interpreted  with  it  at  the  leaves. 
The  1-resp  equations  are  part  of  the  definition  of  a  2-category.  The  op  interactions  are  part  of 
2-functoriality  of  op. 

Identity  and  Composition  for  5  ref\e  is  the  identity  natural  transformation;  d2  o  dt  is  composi¬ 
tion  of  natural  transformations,  or  vertical  composition  in  the  2-category  Cat.  <5[<50]  is  horizontal 
composition  of  natural  transformations.  The  assoc/unit  equations  state  associativity  and  unit  of 
these  compositions,  which  hold  in  any  2-category.  The  second  2-resp  rule  depends  on  weakening 
coherence,  like  the  corresponding  1-subst  rule.  The  interchange  law  also  holds  in  any  2-category, 
and  we  defined  0[<5]  to  make  delegate  true.  The  op  interactions  are  the  rest  of  2-functoriality  of  op. 

Types  A  type  is  interpreted  as  a  functor,  and  A[9]  as  functor  composition. 

map  is  an  instance  of  whiskering  a  functor  (into  Cat )  with  a  natural  transformation,  which 
can  be  thought  of  as  the  functorial  action  of  the  type  on  the  transformation.  For  reference,  we 
spell  out  the  explicit  construction:  given  a  type  C  :  Ty  T,  a  natural  transformation  5  :  6  =r  O’  : 
T  — >  A,  and  a  term  M  :  Tm  T  C[9\,  we  define  a  term  TmT  C[9']  as  follows: 

(mapc  5  M)(cr )  =  C(5a)(M(cr)) 

(mapc  5  M)(c  :  — >r  cr2)  =  C(Sa2)(M(c )) 

The  action  on  morphisms  has  the  appropriate  type  because  of  the  naturality  square  for  <5(c):  the 
domain  of  C(S(J2)(M(c))  is  C(9'(c))(C(5ai)(e(ai))),  which  equals  C  (9'  (5a2))(C  (9(c))(e(oi))) 
by  naturality  of  5  and  functoriality  of  C. 

The  0-subst  assoc/unit  rules  are  just  associativity  and  unit  of  functor  composition.  The 
0-resp  functoriality  rules  are  consequences  of  the  functoriality  of  the  type  C.  1-subst  and  1-resp 
can  be  calculated  from  the  definition  of  map.  The  def.  map  for  A[9]  is  associativity  of  whisker¬ 
ing. 

Terms  It  is  simple  to  check  that  a  term  Tm  A  A  and  a  functor  T  — »  A  can  be  composed  as 
indicated  by  M[9]: 

(M\9]  )M  =  M(0(<r)) 

(M[0])(c)  —  M(9(c)) 
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This  composition  is  functorial,  as  1-subst  assoc/unit  states,  because  9  is. 

M[S]  is,  component- wise,  the  action  on  morphisms  of  the  term  M,  which  is  required  to  be 
functorial  by  the  definition  of  Tm  T  A,  justifying  1-resp  assoc/unit  and  1-resp  preserves  reJI. 
1-respfor  1-subst  is  an  associativity  property. 

Term  Transformations  Semantic  identity  and  vertical  and  horizontal  composition  for  term 
transformations  are  defined  as  follows: 

(idj\/)o-  =  idM(cr) 

(o>2  °  Ol)ff  =  Ol2a  °  OL ia 

(ce[(5])o-  =  N(Sa)  o  A(c)(a(9(a))) 

Identity  id  :  M  = =>•  M  is  the  pointwise  identity;  naturality  holds  by  the  unit  laws.  Vertical  compo¬ 
sition  of  a  2  :  M2  =r  M3  and  a  ?  :  M,  =>-  M2  is  given  pointwise  as  well;  naturality  holds  using 
naturality  for  the  components  and  functoriality.  For  horizontal  composition  of  a  :  M  =>•  N  and 
5  :  9  =?  6',  naturality  again  holds  by  naturality  of  the  components  and  functoriality.  Because  of 
these  componentwise  definitions,  it  is  simple  to  check  that  these  operations  are  associative  and 
unital,  and  that  they  satisfy  an  “adjusted”  version  of  the  interchange  law. 

Equality  Rules  The  equality  rules  in  Figure[7J]are  all  obvious  in  the  semantics,  because  equal¬ 
ity  is  real  semantic  equality,  which  is  a  congruence,  and  everything  respects  it. 


7.3.2  Semantic  Contexts 

Empty  Context  The  empty  context  is  interpreted  as  the  category  1,  which  has  one  object  and 
its  identity  morphism.  Because  1  is  discrete  (no  non-identity  morphisms),  it  is  self  dual.  Because 
the  set  of  objects  and  the  set  of  arrows  are  unital,  there  is  only  one  functor  into  1  (it  is  a  terminal 
object  in  Cat),  and  only  one  natural  transformation  between  this  functor  and  itself.  This  justifies 
the  remaining  equations. 


Covariant  term  variables  T  ,  x:A+  is  interpreted  by  the  Grothendieck  construction  fr  A.  As 


Hofmann  and  Streicher 


(1998)  discuss,  there  is  a  bijection  between  functors  9  :  T 


Ia  ^ 


and  pairs  ( 9\ ,  M)  where  9 1  :  T  — >  A  and  M  :  Tm  T  A[91  ],  given  by  pairing  and  projection  at 
the  meta-level:  the  above  functor  p  projects  the  first  component,  v  :  Tm  (fr  A)  (/l[p|)  projects 
the  second,  and  we  write  (9 1,  M )  for  the  reverse  direction.  Variables  are  interpreted  as  v  p+ "], 
where  p  "  is  the  appropriate  number  of  projections  to  find  the  variable  in  F.  The  transformation 
rule  says  that  the  natural  transformations  between  two  functors  into  fr  A  are  themselves  given  as 
pairs,  which  follows  from  the  fact  that  morphisms  in  fr  A  are  pairs:  the  transformation  rule  is  ex¬ 
actly  the  definition  of  morphisms  written  out  type-theoretically.  More  concretely,  we  can  define  a 
natural  transformation  of  the  appropriate  type  by  (5,  a)a  =  ( 8a ,  aa),  and  that  the  commutativity 
condition  follows  from  commutativity  for  8  and  a. 

The  (3i ]  equations  hold  because  objects  and  morphisms  in  JrA  are  products.  1-id  follows 
from  i].  refl  and  trails  follow  from  the  definition  of  identity  and  composition  for  this  category. 
1-subst  and  1-resp  and  2-resp  all  reassociate  compositions.  The  op  rules  requires  the  definition 
of  contravariant  context  extension,  which  we  treat  next. 
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Contravariant  term  variables  T  ,  x:A~  is  interpreted  as  (frop  A)op:  We  are  given  a  category 
T  and  a  functor  [A]  :  [r]op  — >  Cat.  Thus,  we  can  form  /jrjop[^4]-  In  the  syntax,  we  have 
weakening  for  a  contravariant  context  extension,  so  we  require  a  functor  [T  ,  x\A~\  — >  [T], 
However,  p  :  f-r-op  f/lj  — >  |[F]op  faces  in  the  wrong  direction.  Thus,  we  interpret  T  ,  x:A~  as 
(JIrIop[/l])op.  For  any  functor  F  :  C  — >  D,  there  is  a  functor  Fop  :  Cop  — >  Dop  given  by  the 
same  data,  so  pop  :  (/T-op  [/l|)op  — >  [T]  provides  the  required  weakening  map. 

The  substitution  and  transformation  rules  express  the  fact  that  (  fr  A)op  has  similar  structure 
to  fr  A:  objects  and  morphisms  are  pairs  of  a  certain  form.  Indeed,  we  could  directly  spell  out 
the  construction  of  a  contravariant  fibration  fr  A  from  a  contravariant  functor  A  :  Top  — >  Cat, 
but  here  we  derive  the  definition  from  op  instead^ 

The  equations  are  analogous  to  those  for  fr  A.  The  invol  rules  are  clearly  validated  by  this 
definition  using  the  fact  that  Topop  =  T. 


7.3.3  Semantic  Types 


II  II-types  are  defined  as  in  Hofmann  and  Streicher  (1998):  we  follow  their  construction, 
checking  that  everywhere  they  depend  on  symmetry  of  equality,  we  have  inserted  the  appropriate 


op' 


S. 


For  a  category  T  and  a  /I :  Ty  rop,  we  abbreviate  semantic  contravariant  context  extension 
(/rop  A)op  by  T.A-.  Given  a  B  :  Ty  r.A~  and  an  object  a  G  Ob  T,  we  define  Ba  :  Ty  A(a)  by 


(At)K)  =  B(a,  cr') 
{Ba)(c)  —  -B(idCT,  c) 


For  any  T  and  A,  the  T m  F  A  are  the  objects  of  a  category  with  morphisms  given  by  term 
transformations  a.  This  lets  us  define  a  II  type  as  follows: 


(n  A  B)a  =  Tm  A{a)op  Ba 

Functoriality  is  given  by  pre-  and  post-composition:  the  contravariance  of  A  ensures  that  the 
pre-composition  faces  the  right  direction.  A  and  application  and  /3r]  rules  are  interpreted  by 
giving  a  bijection  between  T m  T./l"  B  and  Tm  T  I  \AB.  The  transformation  intro  and  elim  and 
/3‘r]  rules  express  a  bijection  between  M  ==>-  N  :  T  — >  II AB  and  M  v  ==>-  N  v :  r.A~  — »  B. 
The  proof  follows  Hofmann  and  Streicher  (|1998j),  Section  5.3,  which  observes  that  the  groupoid 
interpretation  justifies  functional  extensionality.  Simple  calculations  validate  the  remaining  rules. 


£  Because  both  subcomponents  of  E  x :  A .  B  are  covariant,  the  interpretation  given  in  Hofmann 
and  Streicher  ( 1998j)  adapts  to  our  setting  unchanged.  In  particular,  given  /I  :  Ty  Y  and  B  : 
Ty  (fr  A),  a  semantic  £-type,  EAB  is  defined  by 


(EAB)0=  [  B0 

J  A(o) 


2In  fact,  it  is  more  common  to  define  fr  A  so  that  it  is  equivalent  to  (/rop(op  o  /l))op.  We  have  avoided  this 
definition  because  we  have  only  considered  syntactic  rules  for  the  op  functor  on  contexts,  not  on  types.  We  will 
return  to  this  point  below. 
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with  functoriality  defined  componentwise.  Pairing  and  projection,  and  pairing  and  projection  for 
transformations,  follow  from  the  definition  of  the  Grothendieck  construction. 

Generic  rules  for  set  and  elements  set  is  interpreted  as  the  constant  functor  returning  Sets, 
the  category  of  sets  and  functions.  We  avoid  size  issues  by  taking  Cat  to  be  the  (larger)  category 
of  large  categories,  so  that  Sets  is  an  object. 

Because  the  action  on  morphisms  of  a  constant  functor  is  the  identity,  Tm  T  set  is  bijective 
with  T  — >  Sets.  There  is  a  full  embedding  discrete  :  Sets  — >  Cat.  This  embedding  takes 
each  set  to  the  discrete  category  on  that  set:  a  set  X  is  mapped  to  the  category  whose  set  of 
objects  is  X  and  whose  arrows  are  only  the  identity  on  each  element  of  X.  This  embedding 
is  full  because  the  functors  between  two  discrete  categories  are  bijective  with  the  set-theoretic 
functions  between  their  objects  (the  action  on  morphisms  is  trivial,  because  the  only  maps  are 
identities).  Thus,  we  can  represent  29(5')  semantically  by  discrete  o  S.  As  usual,  we  overload 
notation  and  write  29(5')  for  discrete  o  S. 

The  transformation  rule  for  set  expresses  (half  of)  an  isomorphism  between,  on  the  one  hand, 
natural  transformations  between  two  functors  into  Sets,  and,  on  the  other,  terms  Tm  fr  29(5')  7) (S'). 

This  direction  is  implemented  as  follows:  we  construct  M-  S  ==>•  S'  :  T  — >  Sets  given 
M:Tm(/r(29(5)))(29(5'))by 


(M)(<t)  —  x  (->•  M (a,  x ) 

For  a  morphism  c,  naturality  is  given  by  x  i— >•  M(c,  id;c).  This  “currying”  is  exactly  analogous  to 
the  interpretation  of  II  types,  except  here  we  abstract  over  a  covariant  variable. 

The  transformation  introduction  rule  for  79(5')  is  just  the  identity  transformation,  and  the 
transformation  elimination  rule  is  equality  reflection.  To  interpret  equality  reflection,  observe  that 
(1)  by  proof-irrelevance  for  equality  in  the  semantics,  two  Tm  T  79 (.S')  are  determined  entirely 
by  their  action  on  objects,  as  the  action  on  morphisms  produces  a  proof  of  equality  and  (2) 
the  interpretation  of  the  premise  says  that  M (a)  =  N (a)  for  all  a.  Thus  M  and  N  are  equal 
Tm  T  D(S). 

The  def.  29(— )  equation  similarly  expresses  that  the  action  on  morphisms  of  a  Tm  T  79(5') 
proves  an  equality.  The  q  rule  for  Sets  is  analogous  to  the  q  rule  for  II.  The  q  for  for  D(-)  holds 
because  all  morphisms  are  the  identity.  0-subst  is  given  compositionally.  0-resp  is  the  identity 
for  a  constant  functor,  and  for  1 9(5')  determined  by  the  action  on  morphisms  of  S.  The  remaining 
equations  are  true  by  simple  calculations. 

Particular  Sets  Semantic  II  and  E  are  defined  as  follows: 

(E  S  S')(a)  =  E mes^S' (a,  m) 

(E5'5")(c)  =  (m,  m')  >  (5'(c)(m),  5'(c.  id)(m')) 


=  n  meS{a)S'(a,m) 

=  f  >-►  (ih  S(c,  id )(f(S(c)(x)))) 


(US  S')  (a) 

(n  ss')(c) 
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0  is  the  empty  set,  1  is  the  one-element  set,  and  2  is  booleans.  For  identity,  we  define  Ids  M  N  :  Ty  r 
by 

(\dAMN)(o)  =  1  if  M(o)=N(o) 

=  0  otherwise 


Functoriality  holds  because  the  functorial  action  of  M  and  N  give  equations,  which  can  be 
combined  using  symmetry  and  transitivity  to  give  the  result. 

The  term  rules  for  II  and  £  express  a  bijection  between  the  set-theoretic  II  and  £  and  the 
category-theoretic  definition  applied  to  discrete  categories.  The  intro  maps  for  1  and  2  are  the 
corresponding  elements,  and  the  elimination  maps  are  standard  for  an  initial  object  and  a  coprod¬ 
uct.  Because  if  and  abort  eliminate  towards  an  arbitrary  type,  we  check  them  in  more  detail.  For 
the  covariant  if  (where  M  :  Tm  T  2),  we  proceed  as  follows: 


(if  (M,M1,M2))(a) 
(if  (M,MuM2))(a) 


Mi  (a)  if  M(a) 
M2(cr )  otherwise 


^{M,MuM2)){c:a1— >  a2) 
(if(M,  Mt ,  M2))(c  :  G\  — ►  cr2) 


Mi(c )  if  M(ffi) 
M2(c)  otherwise 


The  action  on  morphisms  is  well-typed  because  M(c)  shows  that  M(ai)  =  M(cr2).  The  con- 
travariant  if  is  defined  similarly,  as  2  is  discrete  and  therefore  symmetric.  The  semantic  version 
of  abort  is  defined  by  elimination  on  the  empty  set.  The  rules  for  identity  express  that  the  se¬ 
mantics  of  Ids  is  isomorphic  to  the  transformations  at  D(S),  which  are  both  just  the  equations 
between  members  of  T)(S).  The  remaining  equations  are  validated  by  calculation. 


7.3.4  Soundness  Theorem 


Next,  we  formally  interpret  the  syntax  of  the  theory  into  Cat.  We  have  already  discussed  the 
semantic  constructions  that  make  up  the  inductive  step  of  each  case,  so  what  remains  is  to  tie  it 
together.  We  follow  the  development  in  Hofmann  (1995]):  first,  we  define  a  partial  interpretation 
of  raw  syntax.  This  consists  of  the  following  judgements,  where  we  write  T,  M,  etc.  for  semantic 
terms. 


r  >r  _ 

r  »  r  h  0 » 0 :  a 
r»rb(i»M  W 

r>rhd>d  type 

r>rh«>a:M  =^a  tM' 

The  first  judgement  means  that  the  meaning  of  T  is  the  category  F.  The  second  means  that  if 
the  meaning  of  T  is  T,  then  the  meaning  of  9  is  a  functor  6  into  the  category  A.  The  remaining 
judgements  are  analogous. 
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For  contexts  and  types,  the  rules  simply  track  the  structure  of  the  typing  derivation,  and  apply 
the  corresponding  semantic  construction  to  the  results.  For  example: 

r  >  r  r»rhd»I type  r > r  rop»rphd»I type  r > r 
r  ,  x:A+  »  frA  r  ,  x:A-  >  (fF  oP  A)°p  T°  p  >  f°P 

rop  »  rop  b  A  »  A  type  (r  ,  x:A~)  >  (fF «P  A)op  b  B  >  B  type 
r  »  r  i-  n  x-.a.  b  n -^b  type 

For  the  remaining  judgements,  the  rules  do  type  checking  in  the  semantics,  in  that  they  insist 
that  the  semantic  types  fit  together  appropriately.  For  example,  we  show  the  rules  for  II-types: 

rop»r°Pb  Atype 

r°P  »r°phd»i type  _  (r , xdt)  >  (/po^4)op  b  b  >  b type 

(r  ,  x\A~)  S>  (fF  op  A)op  b5>B  type  T  »  T  b  M  »  M  :  II4T> 

(r  ,  x:A')  >  (/rop  A)op  b  M  »  M  :  B  rop  >  r°P  b  N  >  TV  :  A 

r  >  r  b  Ax:  A  MB  >  A(M)  :  r»fb  aPPyM,s(M,  AT)  »  MA  :  5[idr,7V] 

The  transformation  rules  are  similar. 

A  simple  induction  shows  that  the  interpretation  is  unique  if  it  exists: 

Lemma  7.3.3:  Uniqueness. 

•  IfT  T  and  T  Tx  then  T  =  Tx. 

•  IfT  T  b  9  0  :  A  and  T  3>  T  b  0  $x  :  A4  then  A  =  Ax  and  6  =  9\. 

•  7/r  »  f  b  5  >  5  :J  W 

and  r  >  T  b  5  >  <5i  :  d1  =^^7  6\ 

then  A  =  Ax  and  9  =  9\  and  9'  =  9[  and  5  =  <5x- 

•  IfT  >rbd>3  type  and  T  S>  T  b  A  3>  A\  type  then  A  =  A\. 

•  7/T  >  T  b  M  >  M  :  3  rmJ  r>TbM>  Mi  :  A±  then  A  =  A\  and  M  =  M\. 

•  IfT  >  T  b  a  >  a  :  M  =^a 

r  »  T  b  a  »al:  Mi  =>aI  M{ 
then  A  =  A\  and  M  =  M\  and  M'  —  M[  and  a.  =  a±- 
The  proof  exploits  the  fact  that  the  type  of  a  term  is  determined  (up  to  equality)  by  its  immediate 
subterms.  Otherwise,  there  would  be  some  non-determinism  in  e.g.  the  application  rule,  which 
would  require  guessing  a  domain  type,  and  this  non-determinism  would  make  the  interpretation 
less  obviously  unique. 

The  interpretation  interacts  with  weakening  in  the  expected  way:  First,  a  weakening  wTD 
A  induces  a  functor  between  the  interpretations  of  the  contexts.  Second,  weakening  commutes 
with  the  interpretation,  in  the  sense  that  interpreting  in  a  larger  context  is  the  same  as  interpreting 
in  a  smaller  context  and  then  weakening. 

Lemma  7.3.4:  Weakening. 

1.  Ifw  :T7A  and  r>T  and  A>A  then  there  is  a  functor  w  :  T  — >  A 

2.  For  any  of  the  contextual  interpretations,  ifT  ctx  and  A  ctx  and  I  A>  I  and  A  >  A  and 
w  :  T  D  A  and  A  >  A  b  t  >  t  :  J  then  T  >  T  b  f  >  t[w\  :  J[w\ 
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Proof.  The  construction  for  the  first  part  was  described  above.  The  second  part  is  true  by  a 
simple  induction,  using  the  equations  discussed  above  for  how  semantic  substitution  commutes 
with  constructors.  □ 

Theorem  7.3.5:  Soundness. 

Formation: 

•IfT  ctx  then  V  V 

•  IfT  ctx  and  T  >  T  and  T  b  6  :  A  then  A>A  and  T3>rb03>0:A 

•IfT  ctx  and  T  >  T  and  T  b  5  :  6  =^>a  9'  then  A  >  A  and  T>Th0>0:A  and 

r»rb0'»F:Awr»rbA»A:0  W 

•  IfT  ctx  and  T  >  T  and  T  b  A  type  then  r>rbd>3  type 

•  IfT  ctx  and  T  T  and  T  b  M  :  A  then  T>TbA>  A  type  and  r>rbM>M:j4 

•  If  T  ctx  and  T  3>  T  and  T  b  a  :  M  =>a  M'  then  T  >  T  b  3  >  3  type  and 

T>TbM>M  :  A  and  T  >  T  b  M'  M'  :  A  and  T>Tba>a:M  ==^a 

Equality: 

•  IfT  =  A  then  T  T  and  A>A  and  T  =  A 

•  If  T  ctx  and  T  T  and  T  b  6  =  6' :  A  then  A  A  and  T>Tb0>0:A  and 

r»Fb0'»0':  A  and  6  =  1? 

•  IfT  ctx  and  T  >  T  and  T  b  6  =  5' :  9  =^/\  9'  then  A>A  and  r>Tbf)>0:  A  and 

T  »  T  b  9'  »  o'  :  A  an d  T  »  T  b  A  »  5  :  9  9'  an d  T  »  T  b  5'  »  t  :  9  O' 

and  6  =  5 

•IfT  ctx  and  T  T  and  T  b  A  =  A' type  then  T  S>  T  b  A  S>  A  type  and  T  >  T  b 
A'  A7  type  and  A  =  X 

•IfT  ctx  and  T  T  and  T  b  M  =  M' :  A  t/ren  T  S>  T  b  A  A  type  c/nJ  T  >  T  b 

M  >  M  :  A  anJ  T  >  T  b  M'  S>  M  :  A  and  M  =  M 

•IfT  ctx  cmJ  T  >  T  cmJ  T  b  a  =  a7 :  M  =>a  M'  then  T  T  b  A  S>  A  type  and 
T  >  T  b  M  >  M  :  A  and  T  >  T  b  M'  m'  :  A  and  T>Tb«>a:M  ==^  Ad 
and  T»Tba'»a':M  AT7  and  a  =  a' 

Proof.  Mutual  induction  on  the  principal  formation/equality  judgement.  □ 

There  is  no  need  to  prove  a  separate  compositionality  lemma  (substitution  commutes  with 
interpretation),  because  this  is  expressed  by  the  interpretation  of  explicit  substitutions.  The  usual 
proof  of  compositionality  is  embedded  in  the  proof  that  each  of  the  0-subst  and  1-subst  equations 
hold. 

On  the  semantic  front,  an  important  piece  of  future  work  is  to  generalize  this  semantics  to 
a  class  of  2-categories  with  appropriate  structure  (for  example,  the  role  of  functors  into  Cat 
will  be  played  by  fibrations),  prove  a  completeness  result,  and  investigate  other  instances  of  this 
structure. 
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7.4  Discussion 

In  this  chapter,  we  have  taken  the  first  steps  towards  a  directed  dependent  type  theory,  where 
each  type  is  equipped  with  a  notion  of  transformation  between  its  members,  and  dependent  types 
and  terms  are  equipped  with  a  functorial  action  on  transformations.  This  calculus  has  several 
interesting  technical  ingredients:  First,  we  represent  transformations  as  a  judgement,  rather  than 
as  an  analogue  of  the  identity  type,  which  is  necessary  because  the  collection  of  transformations 
is  not  functorial  in  the  ambient  context.  Second,  we  track  the  variances  of  assumptions,  which 
is  necessary  to  ensure  that  the  functorial  action  of  each  type  constructor  can  be  defined.  Third, 
we  internalize  the  identity  and  composition  principles  of  a  2-category  as  identity  and  substitution 
operations,  whose  meaning  is  explained  by  definitional  equality  rules.  These  principles  include 
familiar  explicit  substitutions  in  terms  and  types,  as  well  as  the  functorial  action  of  each  type 
constructor  (map),  and  operations  stating  that  terms  and  transformations  respect  transformation 
(e.g.  M[S]  and  a  [5]).  The  definitional  equality  rules  explain  these  principles  in  terms  of  other 
constructs  of  the  calculus.  An  interesting  avenue  for  future  work  is  to  give  a  more  syntactic 
presentation,  where  the  identity  and  composition  principles  are  treated  as  meta-operations  (like 
ordinary  substitution  traditionally  is).  We  conjecture  that  the  equations  given  here  are  sufficient 
to  define  these  meta-operations,  but  we  leave  an  investigation  of  this  approach  to  future  work. 

In  the  next  chapter,  we  show  how  2DTT  accounts  for  the  structural  properties  of  the  generic 
judgement,  and  we  sketch  other  extensions  that  will  make  it  useful  for  programming  with  logical 
systems  that  mix  admissibility  and  derivability. 


Chapter  8 

Applications  and  Extensions 


In  this  chapter,  we  discuss  some  applications  of  2DTT  to  programming  with  variable  binding. 
First,  we  demonstrate  that  2DTT  provides  the  right  vocabulary  for  analyzing  the  structural  prop¬ 
erties  of  the  generic  judgement.  Second,  we  sketch  a  variety  of  extensions  to  the  base  theory  that 
will  make  2DTT  a  convenient  language  for  programming  with  logics. 

8.1  The  Generic  Judgement 

In  this  section,  we  demonstrate  two  facts:  First,  2DTT  provides  the  tools  to  describe  the  structural 
properties  of  the  generic  judgement.  Second,  2DTT  provides  general  answers  to  the  question  of 
what  operations  can  be  used  in  the  subject  of  a  generic  judgement,  while  remaining  structural. 

8.1.1  Simple  Contexts  and  Variables 

Here,  we  concentrate  on  the  structural  properties  of  weakening,  exchange,  and  contraction;  sub¬ 
stitution  is  discussed  below.  To  illustrate  these  ideas  in  as  simple  a  setting  as  possible,  we  begin 
by  representing  uni- sorted  contexts  (where  the  lone  sort  is  written  i  for  individual),  which  are 
essentially  natural  numbers  representing  the  number  of  free  variables  of  an  expression.  Contexts 
are  a  directed  type,  with  morphisms  given  by  variable-for-variable  substitutions.  The  generaliza¬ 
tion  to  multi-sorted  contexts  is  analogous. 

Contexts  are  constructed  by  e  (zero)  and  'F,  i  (successor).  A  transformation  'F  =^ctx  'F7 
means  that  \F  h  \F7,  so  syntax  will  typically  be  indexed  contravariantly  by  \F.  Transformations 
between  contexts  have  two  introduction  forms,  e  and  (a,v),  and  one  elimination  form  (first 
projection),  map  at  var(— )  plays  the  role  of  second  projection.  Variables  are  classified  by  the  set 
var('F),  and  introduced  by  zero  and  successor  indices. 

These  constructs  satisfy  the  following  equations:  For  contexts,  the  /3-rule  says  that  projecting 
from  a  pair  is  the  first  component,  and  the  //-rules  expand  renamings  into  concrete  contexts. 
1 -sub st  is  standard.  The  action  of  the  constructors  on  renamings,  given  by  1-resp,  is  trivial  for  e 
and  uses  “parallel”  renaming  extension 

((-  o  7r),  z)  :  \F  ==>  'F7  — ■>  'F.  i  ==>  'F7,  i 

for  'F.  i.  We  discuss  the  remaining  equations  below. 
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_  _  n-$:  ctx 

T  b  ctx  type  T  b  e :  ctx  F  b'I'.hctx 

rh«:f  =^ctx  Vi/'  r  h  v:  D(var(tf )) 

The:  ^  =^ctx  e  F  b  (a,  v)  :  'F  =^ctx  i  F  b  n  :  \F,  i  =^ctx  VI; 

rop  b  ^  :  ctx  _  r  b  v  :  P(var(^)) 

T  b  var('F) :  set  F  b  z  :  D(var(\F,  i))  F  b  s(i>) :  2}(var(\F,  i)) 

Equations  for  contexts: 


n  o  ( a ,  v ) 

= 

a 

2-/? 

a  :  'F  ==>•  e 

= 

e 

2-q 

:  :  i 

= 

(n  o  a),  z 

ctx[0] 

= 

ctx 

O-subst 

mapA.ctx  ^  M 

= 

M 

O-resp 

40] 

_ 

e 

1-subst 

= 

t[9],i 

#] 

= 

e 

1-resp 

(«,0M 

= 

N 

O 

g 

ref  le 

= 

e 

refl 

refl^; 

= 

(refl^)  o  7r,  z 

ref l 

e  o  a 

= 

e 

trans 

(a2,v)  o  on 

= 

a2  °  ai,  map  ai  tj 

e[5\ 

= 

e 

2-resp 

(«,  w)[5] 

= 

a [5],  v[6i] 

*[S\ 

= 

IT 

Equations  for  variables: 


var(tf)[0] 

= 

var(tf[0]) 

1-subst 

var(\F)[<5] 

= 

®-map^.©(varW)  ^[<Sop]  x 

1-resp 

maPy.O(var(i/)))  (a>  V)  Z 

= 

V 

1-resp 

m3Py,.0(var(y,))  (a,u)  s(i) 

= 

maPi/>.:D(var(^))  a  1 

1-resp 

ma  Py>.  D(var(i/>))  rt  i 

5  (i) 

1-resp 

m 

= 

z 

1-subst 

s(v)[6] 

= 

s(v[0]) 

1-subst 

ziS] 

= 

* 

1-resp 

s(u)[<*] 

= 

•k 

1-resp 

Figure  8.1:  Simple  contexts  and  variables 
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8.1.2  Structurality 

To  illustrate  structurality,  we  consider  a  representation  of  a  judgement  'kb  0,  where  \k  is  a  ctx 
and  0  is  a  proposition  that  can  mention  the  variables  in  \k.  We  represent  propositions  by  a  set 

r°P  b  ^  :  ctx 
T  b  propo  T  :  set 

This  typing  says  that  propositions  are  contravariantly  functorial  in  'k,  meaning  that 

w  :  'k  =^ctx  VI;/  0 :  propo 
(maP0-.PropoV>  O'/VO  e)  :  propo  T 

Moreover,  the  functoriality  equations  for  map  stipulate  that  weakening  by  the  identity  is  the 
identity,  weakening  by  a  composition  is  composition  of  the  weakenings,  and  so  on.  We  will 
sometimes  abbreviate  map^,- propo^,  w~ /rw  e  by  map  w  e  when  the  meaning  is  clear  from  context. 
Next,  we  represent  natural  deduction  derivations  by  a  type 

Top  b  rk  :  ctx  T  b  0  :  prop  \k 
T  b  nd  rp  0  :  set 

The  type-generic  rule  for  map  specializes  to  the  appropriate  renaming  principle: 

w  :  'k  =^ctx  vk/  e  :  nd  'k7  0 
(map^/,- a+  nd  ij)  a  (w'M  refl + / a)  e) :  nd  'k  (map  w  0) 

As  desired,  this  principle  says  that  the  renaming  of  the  derivation  proves  the  renaming  of  the 
judgement. 

8.1.3  Subjects  of  Judgements 

Above,  we  raised  questions  about  what  propositions  0  may  be  used  in  inference  rules  for  'k  b  0 
without  invalidating  the  structural  properties.  2DTT  provides  a  general  framework  for  answering 
these  questions,  and  in  fact,  the  answer  is  quite  simple.  As  we  explain  further  below,  an  inference 
rule  will  typically  be  stated  for  an  unknown  context  variable  0  :  ctx'.  Thus,  typical  instances  of 
propositions  in  inference  rules  will  be  in  an  unknown  context,  as  in  0  :  ctx'  b  0 :  propo  0,  or  in 
the  extension  of  an  unknown  context,  as  in  0  :  ctx'  b  0  :  propo  (0,  i)  (e.g.  in  the  premise  of  the 
universal  quantifier  introduction  rule).  And  indeed,  any  terms  of  these  types  can  be  used  in  rules. 
The  reason  is  that  the  term  typing  judgement  in  2DTT  provides  the  necessary  guarantees. 

This  is  easiest  to  explain  for  a  rule 

0  b  01  .  .  .  0  b  0n 

0  b  c(0i,  .  .  .  ,0n) 

To  prove  renaming  for  a  judgement  defined  by  this  rule,  it  is  necessary  to  show  that  given  w  : 
Ti  =^ctx  fk 2  and  propositions  0* :  propo  ^ 

map  w  cvj/2  (0i , . . . ,  0n)  =  c^map  w  0i, . . . ,  map  w  0n) 
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However,  any  term 

0  :  ctx",  (p1  :  propo  0+, . . .  bc:propo0 
has  exactly  this  property,  because  there  is  a  transformation 

(w"M  refr/01,  .  .  .)  :  {V 2~  /  ,  <t>  1+ /  <t>  1,  •  •  •)  =^:ctx-,01  :propoV>+,-)  (Vi'/i’,  (maP  W  filY/fil,  ■  ■  ■ 

and  thus  functoriality  of  c  gives  the  result:  c[w,  refl, . . .]  gives  a  transformation  at  D(— ),  which 
by  equality  reflection  proves  the  equation. 

Moreover,  there  is  nothing  special  about  the  indices  of  the  premises  being  tuples  of  proposi¬ 
tions:  any  term  0  :  ctx"  b  c  :  A  commutes  with  renaming  in  a  sense  appropriate  for  A. 


Context-parametric  terms  The  above  discussion  has  reduced  the  problem  of  what  proposi¬ 
tions  can  appear  in  inference  rules  to  deciding  what  terms  of  the  form  0 :  ctx'  b  M  :  A  arc 
permissible  in  2DTT.  Based  on  the  above  examples  of  programming  with  logics,  we  have  some 
intuition  for  what  should  and  should  not  be  allowed: 

•  A  proposition  constructed  out  of  variables  and  constructors  should  be  allowed  (e.g.  the 
conclusion  of  conjunction  introduction). 

•  A  proposition  constructed  by  applying  the  structural  properties  should  be  allowed  (e.g.  the 
conclusion  of  V-elimination) 

•  A  proposition  constructed  by  case-analyzing  the  context  0  should  not  be  allowed. 

Intuitively,  constructors  and  variables  commute  with  renaming,  and  renamings  commute  be¬ 
cause  they  compose.  However,  a  term  that  intensionally  analyzes  the  context  may  not  commute 
with  renaming,  because  it  may  compute  differently  on  the  different  contexts. 

The  functoriality  component  of  the  definition  of  terms  in  2DTT  allows  the  former  two  but 
disallows  the  latter.  Variables,  constructors,  and  map  are  all  ways  of  constructing  a  term.  How¬ 
ever,  we  cannot,  for  example,  add  the  usual  recursor  for  ctx,  as  this  would  permit  functions  that 
do  not  respect  renaming: 

T  :  ctx+  b  tail('T)  :  ctx 
tail(e)  =  e 
tail('T.  i)  =  T 

tail  does  not  respect  transformation,  in  that  if  ==>•  I1'  there  is  not  necessarily  a  transformation 
tail(T')  ==>•  tail('T/).  To  see  this,  take  T7  =  (e,  i)  and  T'  =  (e,  i.  i),  and  let  the  original  renaming 
map  both  variables  in  to  the  one  variable  in  T7.  There  is  no  renaming  e  =>  i,  so  this  renaming 
cannot  be  preserved  by  tail.  Because  the  functoriality  component  of  a  terms  requires  it  to  respect 
transformation,  tail  cannot  have  this  type.  However,  certain  functions  on  contexts  do  respect 
transformation.  An  example  is  the  transformation  ir,  which  can  be  defined  by  recursion  on  the 
context. 

Similar  considerations  influence  the  elimination  forms  for  variables  and  syntax:  the  richer 
the  notion  of  transformation,  the  fewer  eliminations  respect  it.  For  example,  we  cannot  give 
the  standard  case-analysis  principle  for  variables  var('T),  giving  a  case  for  z  and  a  case  for  s. 
The  reason  is  that  functoriality  imposes  a  coherence  constraint  between  the  transformation  of 
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the  result  of  the  zero  case  and  the  result  of  the  successor  case.  However,  some  functions  are 
permissible.  For  example,  we  can  provide  an  equality  test: 

T  :  ctx',  x,  y  :  var('F)+  b  eq(x,  y ) :  2' 


if  we  take  2!  not  to  be  the  discrete  category  on  booleans,  but  the  two-point  category  with  false  < 
true — equal  variables  stay  equal  under  renaming,  but  disequal  variables  may  become  equal.  Con¬ 
versely,  restricting  the  transformations  at  a  type  enables  more  general  elimination  forms:  for 
example,  |Pouillard  and  Pottier  (2010)  show  that  the  operation 


islast :  var('F,  i) 


respects  bijections  on  variables,  but  it  does  not  respect  arbitrary  renamings. 

For  syntax,  when  ctx  is  restricted  to  renamings,  propo  can  be  equipped  with  the  usual  re¬ 
cursor,  because  case-analysis  on  constructors  commutes  with  renaming.  However,  if  the  context 
category  is  instead  taken  to  be  term-for-variable  substitutions,  then  this  places  additional  re¬ 
strictions  on  a  context-polymorphic  term:  a  general  recursor  is  no  longer  permitted,  because  a 
recursive  function  over  propositions  does  not  necessarily  respect  substitution.  On  the  other  hand, 
arbitrary  recursive  functions  over  syntax  are  classified  by  the  type 

n^:!ctx.  exp  un!  — >  exp  un!  +rip 


\A,  which  is  discussed  in  more  detail  below,  discretizes  a  type,  forgetting  all  transformation 
structure.  When  A  is  closed,  like  ctx,  it  has  both  co-  and  contravariant  inclusions  into  A,  which 
we  notate  un!+  and  un!"  .  Because  transformations  at  !ctx  are  only  equalities,  a  function  of  this 
type  may  avail  itself  of  the  usual  recursion  operators  to  analyze  contexts  and  expressions. 

2DTT  provides  a  natural  setting  to  explore  this  hierarchy  of  coarser  and  finer  notions  of  a 
transformation  on  a  type.  In  the  semantics,  a  term  can  be  defined  giving  a  function  on  raw 
objects,  in  addition  to  a  proof  that  it  respects  transformation.  We  can  expose  this  in  the  syntax 
in  a  manner  similar  to  quotient  types:  one  can  define  a  function  on  a  higher-dimensional  type  by 
defining  a  function  on  the  raw  terms  and  proving  separately  that  it  respects  transformation.  We 
speculate  on  this  extension  below. 

At  present,  because  we  have  not  yet  exposed  this  functionality  in  the  syntax,  ctx  and  hctx('F) 
deviate  from  the  methodology  we  espoused  above:  For  example,  we  include  7r  as  a  primitive 
elimination  form  for  context  transformations — in  a  more  general  setting,  it  could  be  defined  by 
recursion  on  contexts  and  proved  to  respect  transformation,  ref  I  a  o  a',  and  map  are  not  in 
general  definable  in  terms  of  other  constructs — though  they  are  for  canonical  transformations. 
For  variables,  the  only  unusual  rules  are  for  1-resp  and  map,  which  are  anomalous  because  we 
do  not  have  a  general  elimination  form  for  variables.  Instead,  we  cheat  by  (1)  reducing  var('F)  [5] 
to  map  and  (2)  giving  rules  for  map  that  pattern-match  on  the  term  it  is  applied  to. 


8.2  Extensions 

In  this  section,  we  sketch  various  extensions  to  2DTT  that  will  make  it  more  convenient  for 
programming  with  logics. 
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8.2.1  Datatypes 

Our  goal  in  this  section  is  to  show  that  if  we  extend  2DTT  with  a  datatype  mechanism,  then 
we  can  generate  weakening,  exchange,  and  contraction  for  many  interesting  signatures  just  by 
writing  down  the  type  in  2DTT. 

For  this  section,  we  assume  a  datatype  mechanism  that  allows  definitions  of  the  form 

D  :  (A  ->  set)  =  B 

where  A  is  a  type  and  D  :  (A  — >  set)+  b  B :  A  —>  set.  The  idea  is  that  D  is  an  inductive  set 
indexed  by  A,  with  unrolling  given  by  B.  Inductive  types  are  functorial  if  their  unrollings  are, 
and  map  at  'DID  a)  is  given  recursively  using  functoriality  of  its  unrolling  D{B  a).  Datatypes 
of  this  form  should  admit  the  usual  induction  principles  as  elimination  forms. 

A  definition  of  this  form  could  be  represented  by  an  indexed  p.: 

rop  b  A  type  Top  b  /  :  A  T,  r  :  D(A  — ■>  set)+,  i :  A"  b  F  :  set  rop  b  M  :  A 

T  b  pA(r.i.F,  I ) :  set 


which  is  introduced  by  unrolling 

T  b  M  :  F[\d,  Xx.  p(r.i.F,  x)~/r,  I'/i] 
T  b  in  M  \  pA(r.i.F,  I) 


and  eliminated  by  recursion. 

The  problem  with  this  definition  is  that  it  admits  too  many  recursive  types:  The  variance  of  r 
ensures  that  the  recursive  occurrences  are  only  in  positive  positions,  which  precludes  examples 
such  as  D  =  ( D  — >  D ).  However,  it  still  allows  some  constructions  that  do  not  make  sense  in 
Sets,  like  D  =  (D  — >  2)  — >  2,  which  is  impossible  for  size  reasons. 

One  possible  solution  is  to  change  the  intended  semantics,  say  to  categories  in  domains, 
and  allow  this  formation  rule  for  recursive  types.  Another  is  to  restrict  the  recursor  to  strictly 
positive  types.  This  can  be  achieved  syntactically  by  inspecting  F,  checking  that  r  does  not 
occur  to  the  left  of  an  arrow,  or  semantically  by  formalizing  a  type  of  (indexed)  strictly  positive 
functors  (Abbott  et  al.  2005 }  Chapman  et  al.[|2010[  Martin-Lof  1975),  whose  fixed  points  are 
equivalent  to  IF- types.  Because  the  encoding  of  indexed  IT’ -types  as  IF -types  uses  propositional 
equality,  it  may  be  useful  to  consider  indexed  containers  (Altenkirch  and  Morris  2009[|Gambino 


and  Hyland]  2004 )  as  a  primitive  notion.  Alternatively,  we  could  first  explore  directed  horn  types, 


and  then  investigate  whether  the  encoding  carries  over  to  a  higher-dimensional  and  directed 
setting. 

For  the  remainder  of  this  section,  we  will  informally  check  that  the  definitions  are  strictly 
positive. 


Simply-typed  Signatures 

Expressions:  Purely  Positive  Syntax  A-terms  are  described  by  the  usual  de  Bruijn  datatype: 
exp  :  ctx  — >  set 

exp  =  A  0.  (var(0)  +  (exp  0  x  exp  0)  +  exp  (0,  i)) 
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It  is  instructive  to  type-check  the  right-hand  side:  our  goal  is  to  show  under  the  assumption 
ip  :  ctx',  the  body  is  a  set.  By  the  rules  for  +  (which  can  be  encoded  with  its  usual  rules  using  E 
and  booleans)  and  x  (a  degenerate  E)  this  is  true  if  var(-0)and  exp  ip  and  exp  (ip,  i)  are  sets  under 
this  assumption.  But  both  var  and  exp  are  indexed  contravariantly — for  var,  this  is  expressed  in 
the  formation  rule,  and  for  exp,  this  is  expressed  by  the  — >  in  its  type  (which  is  a  degenerate  II, 
and  arguments  to  such  a  function  are  a  contravariant  position).  Thus,  this  reduces  to  showing 
that  ip :  ctx  and  ip,  i :  ctx  in  (ip  :  ctx')op,  which  is  (ip  :  ctx+),  which  permits  the  variable  to  be  used. 

The  functorial  action  of  this  datatype  implements  weakening,  exchange,  and  contraction:  If 
w  :  T  ==>•  XV  and  e  :  exp  T'  then  (map  w  e ) :  exp  T.  Moreover,  the  generic  equations  of  the 
calculus  ensure  that  weakening  by  the  identity  is  the  identity,  weakening  by  a  composition  is 
composition  of  the  weakenings,  and  so  on. 

Arithmetic  Expressions:  Mixed  Variance  Syntax  Similarly,  we  can  define  mixed-variance 
syntax,  combining  admissibility  and  derivability,  as  in  the  arith  example  above  (assuming  a  set 
of  natural  numbers  with  its  usual  rules): 

arith  :  ctx  — >  set 

arith  =  \  ip.  var  (ip) 

+nat 

+  (arith  ip  x  (nat  — ►  nat  — ►  nat)  x  arith  ip) 

-f- (arith  ip  x  arith  (ip,  i)) 

The  body  type-checks  because  ip  is  only  used  in  positions  of  the  appropriate  variance — for 
example,  if  we  put  arith  ip  to  the  left  an  arrow,  then  the  index  of  arith  would  again  be  a  negative 
position,  and  the  variable  would  not  be  available  for  use. 

This  description  of  the  datatype  captures  the  fact  than  nat  is  constant  in  ip,  rather  than  relying 
on  subordination-based  weakening/strengthening,  as  above.  Below,  we  will  discuss  an  example 
where  a  type  is  indexed  by  two  contexts  of  different  variances. 

Dependently  typed  syntax 

Propositional  Logic:  Intrinsically  Simply-Typed  Syntax  Next,  we  consider  some  examples 
that  go  beyond  the  framework  described  in  Chapter  [5}  First,  we  consider  typed  syntax,  in  the 
special  case  where  the  types  are  not  dependent  on  variables.  This  covers  propositional  logic  and 
intrinsic  encodings  of  simply  typed  languages.  We  assume  a  set  ty  of  object-language  types,  e.g. 
constructed  by 

arr(ri  :  ty,r2  :  ty)  :  ty 

For  this  example,  we  also  need  to  generalize  the  type  ctx  to  lists  of  ty’s,  rather  than  lists  of 
unit,  and  generalize  variables  var('F)  to  r  e  T.  As  with  booleans,  there  is  an  inductive  identity 
function  — " :  27 (ty  — *•  ty)  that  allows  a  contravariant  ty  assumption  to  be  used  contravariantly. 

Consider  the  following  Agda  datatype: 
data  exp  :  ctx  ty  where 
var  :  V  r}  ->  r  6  I1  ->  exp  vp  r 
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lam  :  V  {\P  rl  r 2}  ->  exp  (T  ,  r  1)  r 2  -»•  exp T  (arr  (rl  ,  r2)) 

app  :  V  {'F  rl  r2}  ->  exp  \F  (arr  (rl  ,  r2))  ->  exp  \F  rl  ->  exp  'F  r2 

This  is  a  “Catholic”  inductive  famil)|}J  which  means  that  the  indices  may  vary  in  the  result  of 
each  constructor.  Catholic  families  can  be  made  “Protestant”  (meaning  the  indices  may  vary  in 
recursive  calls,  but  not  results)  by  representing  the  index  constraints  as  explicit  equality  proofs: 

data  exp  (\F  :  ctx)  (r  :  ty)  where 
var  :  r  6  T  exp  T  r 

lam  :  V  {'F  rl  r2}  ->  Id  r  (arr  (rl  ,  r2))  exp  ('F  ,  rl)  r2  ->■  exp  'F  r 

app  :  V  {VF  rl}  ->  exp  T  (arr  (rl  ,  r))  ->  exp  $  rl  ->  exp  'F  r 

Our  above  notion  of  datatype  allows  only  Protestant  families,  which  avoids  any  tacit  use  of 
propositional  equality — a  treatment  of  Catholic  families  in  the  directed  and  higher-dimensional 
settings  is  an  interesting  subject  for  future  work.  However,  when  the  index  constraints  are  on 
elements  of  sets,  we  can  encode  Catholic  families  using  Id.  For  example,  the  Protestant  definition 
of  exp  can  be  rendered  directly  in  2DTT: 

exp  :  (ctx  x  D(ty))  — >  set 

exp  =  A  (0,  r).  t"  G  0 

+Etut2-.D( ty).  Id  r'  arr(n,r2)  x  exp  ((-0, r* ), r2~) 

+Sr;:D(ty).  exp  (0,  arr(r/,  r))  x  exp  (0,t) 

Note  the  use  of  r“,  discussed  above,  to  flip  the  polarity  of  various  types.  This  is  necessary  because 
the  E-bound  ty’s  are  bound  covariantly,  whereas  the  A-bound  ty  is  bound  contravariantly.  An 
alternative,  which  discuss  below,  is  to  consider  a  type  operator  Aop,  and  E-quantify  over  7Xty)op, 
in  which  case  T\  and  r2  would  be  facing  the  appropriate  direction. 

Because  ctx  x  27(ty)  is  a  non-dependent  pair,  there  is  a  transformation  T.  r  T',  r  when¬ 
ever  there  is  a  transformation  w  :  T  T' .  This  gives  the  expected  renaming  principle:  if 

e  :  exp  (-0',  r)  then  map  (w,  refl)  e  :  exp  (-0,  r). 


Mixed  Variance  We  can  also  combine  dependent  types  with  mixed  variance  syntax.  For  ex¬ 
ample,  in  Chapter[4j  we  used  a  constructoij^] 

dlam  :  {T  :  ctx}  {B  :  nat  ->  tp}  ((n  :  nat)  ^rbBn)^rbIIB 
This  constructor  can  be  encoded  as  follows: 

h  :  (ctx  x  D(ty))  — >  set 

h  =  ... 

+  E  5:(nat  — >  ty).  Id  r"  pi (B)  x  Ilxmat.  h  (0,  ( B  x)~) 


This  type  is  functorial  because  the  index  sets  of  the  pi  are  not  parametrized  by  the  context. 

'Catholic  families  requires  the  mysterious  equality  and  its  associated  miracle  of  transubstantiation,  as  the  joke 
goes. 

2  Here  we  have  taken  the  slight  simplification  of  restricting  the  index  set  to  nat. 
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Mixed  Variance  with  Non-constant  Domains  An  example  where  types  appearing  in  negative 
positions  are  dependent  on  a  context  is  Simmons  and  Toninho  (2010)’s  constructive  provability 
logic.  We  encode  a  simplification  here. 

CPL  offers  an  explanation  of  negation-as-failure  in  logic  programming,  using  a  logic  that 
includes  reflection  on  the  provability  of  a  statement  in  another  logic.  For  example,  the  proposition 
sld  (A)  means  that  the  proposition  A  can  be  proved  using  SLD  resolution.  More  interestingly,  the 
proposition  notsld(A)  means  that  A  is  not  provable  using  SLD-resolution,  and  is  introduced  by 
giving  an  admissibility: 

(rhsld(A))  ^  false 
T  b  notsld(A) 


This  rule  would  seem  to  destroy  the  structural  properties  of  F.  However,  the  truth  of  sld  (A) 
depends  only  on  the  sld  variables  in  F,  not  ordinary  truth  variables.  Thus  T  is  still  structural  in 
truth  variables. 

We  can  tease  this  out  by  separating  the  definition  of  the  logic  into  two  judgements  proves  and 
provessld,  and  separating  T  into  two  contexts,  one  for  SLD  variables  and  one  for  truth  variables, 
provessld  is  indexed  only  by  an  SLD  context,  whereas  proves  is  indexed  by  both  contexts.  The 
SLD  context  appears  in  both  positive  and  negative  positions  in  proves,  so  the  judgement  is  in¬ 
variant  in  the  SLD  context.  However,  truth  variables  occur  only  positively,  so  the  judgement  has 
the  usual  structural  properties  for  this  context.  The  type  ctx  is  essentially  a  higher-dimensional 
natural  number,  so  an  invariant  context  is  just  a  natural  number  (with  numbers  less  than  it  as 
variables — this  type  is  usually  called  fin(n)). 

The  intro  rules  for  notsld  and  sld  are  represented  as  follows: 


provessld  :  (nat  x  ©( ty) )  — >  set 

proves  :  (nat  x  ctx  x  D( ty))  — r  set 

proves  =  A(^s|d,^true,0)  ■■■ 

+  E0':ty.  Id  <p~  notsld(0')  x  (provessld('0sw",  cp')  — >  0) 
+  E0':ty.  Id  <f>~  sld (0')  x  provessld (^w,  0'~) 


Note  the  use  of  — which  is  implementable  because  nat  and  ty  are  discrete  types,  to  permit 
natural  numbers  and  types  to  be  used  in  mixed  variance  positions. 


The  Generic  Judgement:  First-order  logic  Next,  we  consider  an  example  where  one  index 
is  dependent  on  another.  We  can  illustrate  this  with  a  simple  fragment  of  first-order  logic: 

TbV0W  T  b  0{id,7z^} 

For  simplicity,  we  assume  that  the  quantifier  can  only  be  instantiated  with  variables,  which  means 
that  the  elimination  rule  requires  only  renaming.  There  is  a  renaming  operation  on  derivations  as 
well:  if  V  ::  T  b  0  and  r  :  T  — >  T'  then  T>{r}  ::  XV  b  (p{r\ — the  renaming  of  the  derivation 
proves  the  renaming  of  the  proposition. 
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Propositions  are  a  simple  syntax: 

propo  :  ctx  — >  set 

propo  =  X'lp.  (var(0)  +  propo  (0,  i)) 

We  think  of  the  variables  as  the  subjects  of  a  single  base  proposition  b(v),  and  the  second  sum¬ 
mand  as  V. 

The  type  of  natural  deduction  derivations  is  defined  to  satisfy 

nd  T  0  =  E  0':propo  ('T,  i).  Id  0  V(0')  x  nd  ('T,  i)  ft 

+E  0':propo  ('T,  i).  Id  0  (map  (refl,  v )  ft)  x  nd  T  V(0') 

+  ... 


Representing  this  parametrization,  where  both  propo  and  nd  are  contravariant  in  T.  as  a  function 
type  requires  some  additional  technology,  which  we  now  discuss. 

8.2.2  The  Attraction  of  Opposites 

In  the  above  examples,  we  have  considered  either  a  hypothetical  judgement,  or  a  generic  judge¬ 
ment,  but  not  both.  An  extension  is  to  consider  both  at  once.  This  would  be  necessary  if,  for 
example,  the  object  logic  included  both  quantifiers  and  implication.  To  represent  the  hypotheti¬ 
cal,  we  use  a  type  h ctx (T') indexed  by  a  generic  context  T.  However,  doing  this  right  requires  an 
op  modality  on  types. 

First,  we  define  a  type  representing  a  hypothetical  context,  which  is  itself  indexed  by  the 
generic  context  T.  The  reason  hctxfTjis  a  type,  rather  than  set,  is  that  transformations  are 
renamings,  analogously  to  ctx. 

pop  |_  ^  .  ctx  T  h  5:  hctx('F)  T  b  0 :  propo  T 

T  h  hctx('T)  type  T  he:hctx('T)  T  h  E,  0 :  hctx('T) 

T  F  a  :  S  =Hctx('j)  -  T  \~  v :  D((f>  G  S) 

r  F  6  .  £1  y hctx( 'T' j  £  r  h  (ft,  v)  .  ££  '‘hctxf'r)  |— 1  i  0  r  h  7T  .  .-j,  0  )' hctx( 

Top  FT:  ctx  Top  hS:  hctx('T)  T  h  0 :  propo  T  T  hr  O(0o  G 

T  h  0  G  S  :  set  F  hz:0(0G  (5,0))  F  h  s(v) :  D(0O  G 

An  object  language  judgement  T;E  h  0  will  be  represented  as  a  type  family  nd  T  5  0. 
However,  we  must  ensure  that  nd  has  the  appropriate  variance:  because  of  the  orientation  of  the 
renamings,  it  should  be  contravariant  in  both  context  arguments.  Thus,  the  obvious  candidate 
type  is 

T  :  ctx", S  :  hctx('T)",  0 :  propo  VF+  h  nd  'F  S  0  type 

However,  this  does  not  type  check.  The  problem  is  that  marking  S :  hctx(  T  )"  as  a  contravari¬ 
ant  assumption  means  that  it  should  be  well-formed  contravariantly  in  the  preceding  context, 
whereas  in  this  case  it  is  well-formed  covariantly.  If  we  instead  mark  E  :  hctx(  T)+  as  a  covariant 
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assumption,  the  context  is  well-formed,  but  the  type  cannot  be  defined  as  intended,  as  the  de¬ 
pendence  on  hctx(— )  faces  the  wrong  direction.  An  ad-hoc  solution  to  this  problem  would  be  to 
reverse  the  direction  of  the  morphisms  in  the  definition  of  hctx(— ). 

The  right  solution  is  to  provide  finer  control  over  the  variance  of  types.  The  essence  of 
the  problem  is  that  Hx:A.  B  ties  together  two  independent  notions:  First,  A  is  well-formed 
contravariantly  in  the  ambient  context.  Second,  the  dependence  of  B  on  A  is  contravariant — for 
example,  in  the  special  case  where  A  and  B  are  both  closed,  II  x:  A.  B  is  equivalent  to  the  functor 
category  Aop  — >  B. 

This  limitation  can  be  lifted  by  introducing  a  type  constructor 

T  b  A  type 
T  b  Aop  type 

that  is  interpreted  by  taking  the  opposite  of  A  point-wise  (i.e.  if  A  :  T  — >  Cat  then  Aop  = 
op  o  A).  We  have  not  yet  considered  how  to  present  rules  for  this  type  syntactically, 
nd  can  then  be  rendered  as 

T  :  ctx",  H  :  hctx('T)op+,  <f> :  propo  \l/+  b  nd  T  H  0  type 

This  expresses  that  5  is  well-formed  covariantly  in  T.  but  the  dependency  of  nd  on  it  is  con¬ 
travariant. 

We  can  also  now  explain  the  dependency  of  nd  as  a  function  type,  putting  it  into  the  same 
form  as  the  non-dependent  examples  discussed  above. 

nd  :  (E  'I':ctxop.  E  S:hctx(T')op.  propo  'F)op  — >  set 

The  inner  op’s  are  necessary  for  the  dependency  on  T  in  later  components  of  the  E;  the  outer  op 
cancels  the  op  that  is  implicit  in  — >.  An  alternative  would  be  to  use  a  function  space  that  does  not 
have  an  implicit  op  around  the  domain,  which  we  discuss  below. 

Alternative  presentation  Given  the  op  modality,  there  is  an  alternate  presentation  of  2DTT  in 
which  If  x:A.  B  requires  a  covariant  dependence  of  B  on  /I  by  default,  with  contravariant  de¬ 
pendency  encodable  using  op.  Moreover,  this  presentation  accords  slightly  better  with  category- 
theoretic  conventions,  in  which  the  Grothendieck  construction  for  a  contravariant  functor  A  con¬ 
structs  a  fibration  fr  A  as  follows: 

•  an  object  of  fc  A  is  a  pair  (o,  a)  where  o  G  Ob  C,  and  a  e  Ob  A(o ). 

•  a  morphism  from  (o,  a)  to  (o',  a')  is  a  pair  (c,  /)  where  c  :  o  — o'  and  /  :  o  — >a(o') 
A(c)o' 

This  is  related  to  the  covariant  Grothendieck  construction  by 

(  [  A)op  =  [  Aop 

Jr  J  r°p 

In  this  notation,  our  present  notion  of  contravariant  context  extension  T  ,  x:A"  is  interpreted  as 
/r  Aop,  which  means  that  the  morphisms  require  for  a  map  /  :  A(c)o'  — >a(0')  o,  facing  in  the 
opposite  direction  from  above. 
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The  direct  definition  of  fr  A  requires  the  op  modality  on  types,  because  the  substitution  in¬ 
troduction  rule  is: 

6:T — >  A  M  :  Tm  Top  Aop[6op] 

—  J2A 

Our  current  presentation  avoids  mention  of  the  op  modality  by  only  allowing  fr  Aop,  in  which 
case  the  double-op  cancels  when  the  above  rule  is  unfolded. 

Of  course,  given  op,  this  presentation  is  isomorphic  to  one  that  still  takes  the  present  definition 
of  T  ,  x:A~  as  primitive,  as  T  ,  x:Aop~  interprets  as  fr  A  (by  canceling  double-ops). 


8.2.3  Substitution  and  Other  Structural  Properties 


Above,  we  have  considered  only  renamings,  which  give  weakening,  exchange,  and  contraction 
for  positively  occuring  variables.  Our  approach  generalizes  to  additional  structural  properties 
by  considering  additional  context  categories.  For  example,  the  fact  that  all  signatures  admit  ex¬ 
change  can  be  expressed  by  showing  that  all  types  are  functorial  in  the  category  ctx~  of  contexts 
and  bijections  between  them.  This  holds  because  ctx~  has  projections  both  to  ctx  and  ctxop.  The 
restriction  to  bijections  ensures  that  inverse  exchanges  compose  to  the  identity.  Similarly,  all 
types  admit  weakening  and  strengthening  of  variables  whose  types  are  insubordinate  to  A:  all  A 
are  functorial  in  ctx-"4,  the  category  of  contexts  that  differ  only  by  types  that  are  insubordinate 
to  A,  which  is  again  symmetric.  This  holds  because  the  subordination  condition  implies  that 
B  E  T  is  preserved  by  adding  or  deleting  insubordinate  /l’s.  These  contextual  categories  can 
be  composed.  For  example,  a  schema  with  positive  and  negative  occurrences  of  the  context  is 
functorial  in  renamings,  which  additionally  only  weaken  or  contract  variables  in  subordinate  to 
its  contravariant  types.  This  can  be  represented  as  a  category  of  contexts  that  has  projections  to 
both  ctx  and  ctx-"4.  2DTT  is  a  natural  setting  to  explore  this  hierarchy  of  contexts. 

Next,  we  come  to  substitution,  which  has  a  slightly  different  flavor.  Whereas  renaming  is 
functorial,  substitution  is  monadic  (Altenkirch  and  Reus;,  1999).  More  precisely,  substitution 
endows  terms  with  the  structure  of  a  relative  monad  (|Altenkirch  et  al.  2010) — which  is  a  gener¬ 
alization  of  monads  to  non-endofunctors.  This  generalization  is  necessary  because  exp  ctx  — >  set 
is  not  an  endofunctor.  Thus,  our  approach  to  substitution  will  be  to  have  a  type  constructor  for 
constructing  a  relative  monad  from  a  signature. 

In  simpler  terms,  the  programmer  will  write  a  signature  expressed  as  a  (perhaps  strictly  pos¬ 
itive)  functor  that  is  parametrized  by  the  recursive  call.  E.g. 

exp  :  (ctx  — >  set)+,  ip :  ctx'  h  expsig  :  set 
expsig  =  (exp  ip  x  exp  ip)  +  exp  (ip,  % ) 


From  this  we  can  generate 

•  The  type  exp  :  ctx  — >  set  =  \  ip.  p(exp. ip.  expsig,  ip) 

•  The  type  ctx'  of  term-for-variables  substitutions. 

•  The  type  exp'  :  ctx'  — >  set  of  expressions  equipped  with  substitution. 

Given  a  signature  that  potentially  takes  advantage  of  dependent  types  and  mixed  variance,  this 
construction  will  allow  the  programmer  to  get  all  of  the  available  structural  properties  for  free 
from  the  signature  description. 
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8.2.4  Covariant  IPs 

Using  the  rules  above,  a  contravariant  assumption  can  be  internalized  as  a  function:  if  T,  x  :  A"  b 
M  :  B  then  F  b  A  x.  M  :  II :  A .  B.  It  is  natural  to  ask  whether  anything  analogous  can  be  said 
for  covariant  variables:  is  there  any  sort  of  function  space  internalizing  T,  x  :  A+  b  M  :  B1  As 
we  have  observed  above,  the  problem  with  attempting  to  naively  construct  such  a  function  space 
is  that  A  is  well-formed  covariantly  in  F,  so  map  is  not  definable  by  pre-  and  post-composition. 

However,  there  is  in  fact  such  a  function  type,  and,  as  it  turns  out,  we  have  already  seen  the 
seeds  of  it  in  Chapter[5]  In  the  NBE  example,  we  observed  that  a  function  of  type 

V'Fp'F  +  p)sem  — >  (\&  +  T  i  )sem 

is  always  weakenable  to  any  context  bigger  than  T.  because  it  explicitly  accounts  for  such  ex¬ 
tensions.  Thus,  map  is  definable  by  instantiating  the  quantifier. 

Categorically,  this  type  corresponds  to  the  exponential  object  in  the  category  of  presheaves: 
given  two  functors  A,  B  :  T  — >  Sets,  where  F  is  a  small  category,  there  is  a  functor  BA  :  F  — > 
Sets  defined  by 


BA(o )  =  HomSetsr(Homr(o,  -)  x  A,  B) 

BA(c  :  ol  — o2)  =  f  i— ►  (o'  i— >  (c'  :  o2  — ■>  o',  x )  i— ►  f0,(c'  o  c,  x)) 

Here  Homr(o,  — )  :  F  — >  Sets  is  the  covariant  horn  functor,  which  sends  each  object  o'  to  the 
set  of  maps  in  T  from  o  to  o': 


Ho7Tl(o,  — )  (o')  =  Ho77lr(o,o') 

Hom(o,  — )(c  :  Oi — >r  o2)  =  (/  :  o — >Oi)^co/ 

Thus,  Ba  sends  each  object  o  to  the  set  of  natural  transformations  (which  are  the  maps  in  the 
functor  category  Setsr )  from  Homr(o ,  — )  x  A  to  B.  Spelling  out  this  definition,  we  see  that 
an  element  of  BA(o )  is  a  function  Vo' .Homr(o,  o')  x  A(o')  — >  B(o'),  which  is  natural  in  o'.  If 
we  ignore  the  naturality  constraint,  this  specializes  to  the  type  above  if  we  take  Hom( P  T'j  to 
mean  P  =  T  +  Tv  for  some  p. 

The  action  on  morphisms  works  by  instantiating  the  quantifier:  if  we  are  given 
/  :  Homr(oi,  — )  x  A  = =>•  B  and  (c  :  0\  — >r  o2),  we  need  to  make  a  natural  transformation 
g  :  Ho?rir(o2 ,  — )  x  A  B.  This  is  defined  by  taking 

gQ>  =  (c'  :  o2  — >  o',  x  :  A(o))  i->  /D/(c'  o  c,  x ) 

Naturality  follows  from  the  naturality  of  /.  That  is,  /  already  works  for  all  “future”  objects  of  F, 
and  by  composition  the  future  of  the  future  is  the  future. 

Our  next  task  is  to  figure  out  how  to  describe  this  type  syntactically.  A  first  cut  is  to  define  a 
type 

T  b  A  :  set  T  b  B  :  set 
T  h  Ba:  set 

However,  there  are  two  problems  with  this  rule.  The  first  is  technical:  the  object  BAofSetsA 
does  not  interact  in  the  usual  way  with  substitution,  in  that  BA[6]  is  different  than  B\0\A^°  .  For  an 
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( Non-dependent )  context  append: 

T  ctx  A  ctx  T  F  91  :  Ai  T  F  02  :  A2  r  F  <5i  :  6X  =>Al  0i  T  h  <52  :  02  ^a2  0'2 
r,  Actx  r  1-0!,  02  :  A1;A2  rh  (di,^)  :  0!,02  =^Ai,a2  0[,0'2 

Non-dependent  transformation  assumptions: 

rctx  Actx  r  h  0i  :  A  rh02:A  d  :  0j  =►  A  €  T  Th0:A  r  F  <5  :  0j  [0]  02  [0] 

r  ,  d:Oi  =^A  02  ctx  rhd:0i=^A02  r  F  0,<5/d  :  A,d:0i  02 


r  F  Jo  :  6  =^A  0' 

r  F  reflag]  o<$  =  o  reflgj  [£p] :  0j  [0]  =?>^0g[0/] 

T  h  (50,  *)  :  0,5  =>A,d:01=>9e2  O' i  & 

Covariant  functions: 

A  ctx  T  F  0  :  A  A  F  .A,  B  :  set  T,  A,  d  :  [0  =^A  idA),  x  :  Z>(A)+  F  M  :  22(5) 
r  F  n+(A  >  6). A  ->B:  set  r  F  AA,  d,  x.M  :  V(U+(A  >  0).A  -+  B) 

r  hM:  D(II+(A  >  9i).A  —*  B)  F  F  02  :  A  r  F  <5  :  0X  =>A  6>2  T  F  A :  £>(A[0g]) 


T  F  M(92,5,N):‘D(B[02}) 

(AA,  d,  x.M)(02,  5,  N) 

=  M[idr,  02,  S/d,  N+/x] 

P 

M 

=  AA,  d,  x.M(\6a,  d,  x) 

V 

(U+(A>0).A^  B)[0o] 

=  IT(A  >  0[0O]).A  -»•  B 

l-subst 

(n+(A  >  9). A  -»•  fl)[<J] 

=  /.AA,  d,  x./(idA,  d  o  9[S\,  x) 

1-resp 

(\A,d,x.M)[60} 

=  AA,  d,  x.M[9q,  idA,  d/d,  x+/x\ 

l-subst 

M(02,8,N)[0o } 

=  M[0o](0[0o],<J[reflflo],iV[0o])  ' 

(AA,  d,  x.M)[5] 

EE  ~k 

1-resp 

M(9g,5,N)[5 } 

EE  ~k 

Figure  8.2:  2DTT:  Covariant  Functions 
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object  o  G  A,  the  former  quantifies  over  all  futures  of  0{o)  in  T,  whereas  the  latter  quantifies  over 
all  futures  of  o  in  A,  and  these  are  not  necessarily  the  same.  Thus,  we  cannot  define  substitution 
compositionally.  The  second  is  practical:  the  type  BA  doesn’t  quite  match  our  intuition  from  the 
NBE  example,  as  there  is  no  place  to  write  the  bounding  context  T. 

Both  of  these  problems  arise  because  the  type  T  b  B A  :  set  is  defined  so  that  it  anticipates 
extensions  in  the  ambient  context  T,  which  means  that  this  type  reflects  upon  the  context  in  a  way 
that  other  type  constructors  do  not.  In  type  theory,  the  connectives  always  build  in  a  composition, 
so  that  they  can  be  judged  well-formed  in  an  arbitrary  context.  The  above  rule  fails  to  do  so. 

The  solution  is  to  build  in  this  composition  and  make  the  bound  an  explicit  part  of  the  type 
constructor:  we  define  a  type  IT  (A  >  6).  A  — >  B 

A  ctx  T  b  6  :  A  A  b  A,  B  :  set 
T  b  n+(A  >  9). A  -f  5:  set 

For  example,  if  we  take  A  to  be  a  single  assumption  T' :  ctx,  and  T  is  a  context,  and  A,  B  are 
well-formed  in  T'  :  ctx,  then  we  can  form  the  type  n+(T' :  ctx  >  T).A(T')  —>  5('k/),  as  above. 
Then  the  substitution  into  IT  (A  >  6).  A  — *  B  is  defined  by  composing  substitutions. 

Next,  we  need  intro  and  elim  rules  for  this  connective.  Based  on  the  semantics,  IT  (A  > 
6).  A  — >  B  should  classify  functions,  that,  for  every  O'  reachable  from  6  and  A [6],  produce  a  B[6']. 
Stating  this  syntactically  requires  a  couple  of  new  ingredients:  substitution  and  transformation 
variables.  Thus  far,  we  have  considered  the  transformation  judgements  only  on  the  right.  It  is 
also  possible  to  allow  hypothetical  transformations  as  a  judgemental  notion,  even  though  it  is  not 
obvious  how  to  internalize  transformations  as  a  dependent  type. 

In  Figure  |8.2[  we  give  the  rules  for  these  concepts:  The  first  set  of  rules  allow  a  context  to 
be  extended  with  an  entire  context  (which  is  not  dependent  on  the  first) — the  rules  are  exactly 
those  for  the  product  category.  The  next  set  of  rules  define  transformation  variables:  a  con¬ 
text  can  be  extended  with  a  transformation  variable,  and  transformation  variables  can  be  used 
as  transformations.  A  substitution  into  T  ,  d:6b  02  consists  of  a  substitution  into  T  and  a 
transformation  for  the  substitution  instance.  A  transformation  between  such  substitutions  con¬ 
sists  of  a  transformation  for  the  first  component,  such  that  a  naturality  condition  holds  for  the 
second  components — because  the  theory  is  2-dimensional,  there  is  no  notion  of  morphism  be¬ 
tween  transformations.  We  elide  the  equality  rules  for  these  contexts.  We  could  also  allow  term 
transformation  variables  a  :  M  =^a  N,  but  they  are  not  necessary  for  this  construction. 

The  introduction  rule  for  IT(A  >  6). A  — >  B  internalizes  a  hypothetical  term  as  a  function. 
Note  the  weakenings:  6  is  dependent  only  on  T,  and  id  a  and  A  and  B  only  on  A.  The  elimination 
rule  is  symmetric.  The  f3r]  rules  express  that  this  is  an  isomorphism.  The  1-resp  rule  for  IT(A  > 
6). A  — >  B  simply  composes  substitutions.  The  1-resp  rule  composes  transformations  (the  future 
of  the  future  is  the  future),  as  discussed  above.  It  is  also  necessary  to  adjust  A  by  0  because  of  the 
built-in  composition.  The  1-subst  rules  are  compositional;  the  1-resp  rules  are  computationally 
trivial,  but  require  checking  that  the  equations  hold. 

While  these  rules  are  operationally  sensible,  they  allow  impredicativity.  For  example,  A 
might  be  a  :  set,  in  which  case  IT(a  :  set  >  0+/a).A  — *  B  permits  impredicative  polymorphic 
quantification  over  sets,  as  in  the  System  F  type  Va.A(a)  — >  B(a).  Thus,  we  may  wish  to  restrict 
the  formation  rule  for  covariant  IT’s  in  order  to  avoid  impredicativity.  We  leave  an  investigation 
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of  the  necessary  restrictions  to  future  work;  for  example,  quantification  over  set  might  increase 
the  size  of  the  type. 

The  type  IT  (A  >  ()).A  — >  B  described  here  can  be  generalized  in  two  ways:  First,  we  can 
generalize  the  — >  to  a  II,  by  allowing  the  domain  type  type  A  to  depend  on  d  :  0  ==>•  id  a,  and 
the  range  type  B  to  depend  on  both  d  and  x  :  A*.  Second,  we  can  generalize  from  sets  to  types. 
Here,  we  have  considered  the  exponential  of  two  presheaves.  This  construction  generalizes  to 
functors  into  Cat,  using  the  exponential  of  two  fibrations. 


Applications  at  set  If  A  has  an  initial  object,  then  we  can  derive  an  unbounded  quantifier 
from  the  bounded  quantifier.  For  example,  at  set,  we  write  IT  (a  :  set).  A  — >  B  for  IT  (a  :  set  > 
0+/a).A  — >  B.  There  is  a  unique  transformation  0+  ==^set  S+  given  by  x. abort  x,  so  we  can 
ignore  the  transformation  argument  to  functions  and  applications. 

Naturality  properties  of  polymorphic  functions  are  typically  only  made  available  in  exter¬ 
nal  logics  based  on  relational  parametricity.  In  2DTT,  they  are  instead  available  as  definitional 
equality  principles  inside  the  type  theory.  For  example,  we  can  derive  the  fact  that  a  polymorphic 
function  on  lists,  of  type  II+(a  :  set).list(a)  — >  list(a),  commutes  with  map: 

If  P  :  II+(a  :  set).list(a)  — ■>  list(a) 
x.F  :  Si  =^set  S2 
L  :  list(Si) 

then  mapa  £)(|ist(o))  (x.F)  P(S1,  L)  =  P(S2 ,  mapa  D(list(fl))  (x.F)  L) 

This  makes  essential  use  of  directedness:  in  a  higher-dimensional  symmetric  type  theory,  Si  =^>SE 
S2  would  classify  only  equivalences,  though  typical  applications  of  this  reasoning  principle  apply 
it  to  arbitrary  functions  from  Si  to  S2. 

Contravariant  II  x :  A .  B  satisfies  naturality  conditions  as  well.  The  reason  it  cannot  be  used 
for  this  example  is  that  the  type  II  a:set.  list(a)  — >  list(a)  is  not  well-formed,  because  the  as¬ 
sumption  a  can  only  be  used  in  contravariant  positions.  The  type  II+(a  :  set).list(a)  — >  list(a)  is 
necessary  to  allow  a  to  be  used  in  both  the  domain  and  range. 


Applications  at  ctx  Using  II+(0  :  ctx'  >  P~  /P). exp  P  — »  exp  0  we  can  reproduce  some  famil¬ 
iar  results  relating  functions  to  de  Bruijn  form,  which  has  applications  to  higher-order  abstract 
syntax  (Fiore  et  ah ,  1999)  Hofmann,  1999 ). 

Suppose  ctx  includes  term-for-variable  substitutions.  Then  there  is  a  type  isomorphism 


(II+(0 :  ctx'  >  ^'/-0).exp  0  — >  exp  0)  =  exp  (  P ,  i) 


Intuitively,  this  says  that  the  space  of  functions  that  work  in  all  future  contexts,  naturally  in 
substitutions,  is  the  same  as  the  space  of  derivabilities  represented  in  de  Bruijn  form.  The  reason 
for  this  is  that  both  represent  exactly  substitution  functions.  Thus,  we  have  a  negative  (in  the 
focusing  sense)  function  space  that  is  isomorphic  to  a  positive  representation  in  de  Bruijn  form. 
This  provides  another  explanation  as  to  why  substitution  functions  can  be  used  in  inductive 
definitions,  and  why  their  polarity  is  somewhat  confusing:  they  can  be  isomorphically  thought 
of  as  either  positive  or  negative. 
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From  right  to  left,  the  isomorphism  sends 

e  i-»-  Xip,  d,  x.map^,  exp^,  (d,x)  e 

which  substitutes  its  argument  for  the  last  variable  in  e.  From  left  to  right,  it  instantiates  the 
quantifier  with  a  context  with  one  extra  variable,  plugs  i r  in  for  the  transformation,  and  plugs  the 
new  variable  in  for  x. 

f  ^  /((^,  0AM,v(z)) 

Using  naturality,  these  maps  can  be  shown  to  be  mutually  inverse.  Without  naturality,  these  maps 
back  and  forth  can  be  defined,  but  the  type  (IE  (ip  :  ctx'  >  /ip). exp  ip  — »  exp  ip)  is  broader  than 
exp  ('F,  i),  because  its  elements  functions  may  analyze  their  argument. 


HOAS  At  first  glance,  one  might  hope  that  this  type  isomorphism  will  provide  a  convenient 
higher-order  way  to  write  down  syntax.  Unfortunately,  elements  of  (IE(ip  :  ctx'  >  /ip). exp  ip  — 
exp  ip)  are  no  easier  to  write  than  de  Bruijn  terms:  as  the  above  isomorphism  shows,  a  term 
A  ip' ,  (L  x.e  gets  a  new  weakening  function  (d)  and  a  new  last  variable  (./;),  and  weakening  and 
other  structural  properties  must  be  marked  explicitly,  just  as  in  de  Bruijn  form. 

However,  following  jHofmann]  (1999 ),  we  may  be  able  to  introduce  HOAS  as  a  special  syntax 
for  the  functor  category  ctx  — >  set.  This  category  is  itself  a  Cartesian  closed  category,  with 
exponentials  BA  given  by  A  ip.  (1  ['(A//  :  ctx'  >  ip' /ip').  A  ip'  — >  B  ip').  The  interpretation  of  A- 
terms  into  this  CCC  thus  constitutes  a  semantically  motivated  parser  trick  for  writing  de  Bruijn 
form  in  a  higher-order  notation. 


8.2.5  Higher-Dimensional  Quotient  Types 

In  ordinary  type  theory,  one  can  consider  quotient  types  A/R,  where  R  is  an  equivalence  relation 
on  A:  the  elements  of  A/R  are  the  elements  of  A,  but  two  elements  are  considered  equal  when¬ 
ever  they  are  related  by  R.  In  2DTT,  the  analogous  operation  is  forming  a  type  from  an  internal 
category — a  description  of  a  category  inside  the  theory.  In  the  symmetric  higher-dimensional 
case,  we  can  introduce  a  new  type-forming  operation  as  follows: 

0  : set- 

A  :  O  0  set- 
r  :  II  x:  O.  A  x  x 

t:Jlxi,X2,xs:0.  A  x%  X3  x2  — >  Axi  X3 

t  r  p  =  p 
t  p  r  =  p 

t(tPi  P2)P3  =  tpi  ( tps  p3) 

cat (0,A,r,  t)  type 

Terms  and  equivalences  are  introduced  by  the  corresponding  sets: 

M:  0  P  :  A  [Mj\  [M2] 

[M]  :  cat (O,  A,  r,  t)  [P]  :  Id cat{o,A,r,t)  [M]}  [Me\ 
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and  terms  can  be  eliminated  by  a  raw  function  that  respects  equality: 

M  :  cat(0,  A,  r,  t)  R:O^C  P  :Ux,y:0.  Ax  y  — >•  Id^  (R  x)  (R  y) 

celim(M,  R,  P) :  C 

Adapting  these  rules  to  the  directed  case  is  an  important  piece  of  future  work,  as  it  will  allow 
programmers  to  introduce  types  such  as  ctx  and  hctx('F),  and  write  elimination  forms  such  as  n, 
without  extending  the  language. 


Discretization  We  can  go  further  and  expose  the  fact  that  every  type  can  be  viewed  in  the  form 
cat(0,  A,  r,  t).  To  do  this,  we  need  an  operation  \A  that  forgets  the  higher-dimensional  structure 
of  a  type.  Above,  we  considered  nat  to  be  an  “invariant”  version  of  ctx.  This  is  an  instance 
of  a  general  construction:  Given  a  structured  type  A,  there  is  a  set  Ob  A,  and  therefore  a  type 
0(  0 b  A).  This  type  forgets  the  morphism  part  of  A,  leaving  only  the  underlying  set  of  objects, 
which  are  now  only  transformable  if  they  are  equal.  In  fact,  Ob  —  and  D(— )  are  a  section- 
retraction,  because  Ob  T)(S)  =  S.  Semantically,  it  is  clear  what  the  functor  Ob  :  Cat  — >  Sets 
means,  but  we  have  not  investigated  a  proof  theory  for  it.  Because  0(  0 b  A)  forms  a  comonad, 
which  we  will  abbreviate  as  IA,  it  could  potentially  be  given  a  proof  theory  analogous  to  the 
necessitation  operator  in  modal  logic  (Pfenning  and  Davies,  2001).  For  example,  there  is  an 
operation  un!  M  which  has  type  A  if  M  :  \A. 

Using  !,  we  can  directly  expose  the  semantic  definitions  of  types  and  terms  in  the  type  theory. 
For  example,  we  may  add  a  rule  that  encodes  the  definition  of  Tm  F  A: 


r  b  A  type 

!T  b  M:!A[un!  id] 

x  :!T,  y  :!T,  d  :  un!  x  ==)>a  un!  y  b  a  :  un!  (mapA  d  M[id^])  ==)>A[un!  y\  un!  (Mfid^j) 

ct[refl]  =  ref  I 

a[d,2  o  d\]  =  a[d2/d]  o  resp1  (x.map  d2  x)  a[di/d] 

T  b  explicit(M,  a) :  A 


8.2.6  Directed  Horn  Types 

Thus  far,  we  have  treated  equality  as  a  judgement,  which  is  necessary  because  the  usual  con¬ 
struction  of  the  identity  type  in  symmetric  type  theory  does  not  apply  in  the  directed  case.  For 
review,  identity  types 

r  b  A  type  r  b  M:A  T  h  N  :  A 
r  b  IdA  M  N:  set 

are  interpreted  by 

(Id AM  N)(o)  =  HomA{o)(M(o),N(o)) 

(ldA  M  N)(c  :  01  — >  o2)  =  f  :  HomA^ol)(M(o1),  N(oi))  ^  N(c )  o  A(c)(f)  o  M(c)_1 

The  functoriality  of  the  type  constructor  depends  on  the  symmetry  of  HomA(o ),  because  M(c)  : 
A(c)M(oi)  — >  M(o2),  but  the  construction  requires  a  map  M(c)  :  M(o2)  — »  A(c)M(oi). 
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In  addition  to  the  judgemental  notion  of  transformation,  it  would  be  useful  to  have  a  first- 
class  directed  hom  type,  which  could  be  freely  mixed  with  the  other  type  constructors.  There  are 
several  potential  solutions  to  this  problem: 

One  option  is  to  define  the  hom-types  a  relation  on  objects  of  a  type,  using  the  !  type  con¬ 
structor  discussed  above: 


T  b  A  type  T  b  M:\A  T  b  N  :  \A 
T  b  horrid  M  N  :  set 

Transformation  at  \A  is  just  equality,  and  it  is  therefore  symmetric  even  if  A  is  not.  This  defini¬ 
tion  is  restrictive,  because  equations  are  restricted  to  elements  M  that  respect  transformation  on 
the  context  on-the-nose,  rather  than  up  to  transformation.  However,  it  matches  category-theory 
practice  of  defining  the  Hom- set  on  the  objects  of  a  category. 

Another  solution  is  to  define  the  hom-type  so  that  it  is  explicitly  contravariant  in  M,  which 
accounts  for  the  symmetry  required  by  functoriality. 

T  b  A  type  T  b  M:Aop  £  b  N  :  A 

r  b  horrid  M  N  :  set 

However,  it  is  unclear  what  the  rules  for  this  type  should  be — for  example,  reflexivity  and  tran¬ 
sitivity  do  not  (obviously)  make  sense,  because  it  relates  two  terms  of  opposite  variances. 

Both  of  these  types  make  sense  semantically,  but  it  is  unclear  what  the  right  notion  to  inte¬ 
grate  into  the  type  theory  is,  or  how  they  related  to  each  other  and  to  the  judgemental  notion  of 
transformation. 


8.2.7  Universes  and  Higher-dimensions 


Existing  proof  assistants  have  a  size  hierarchy  which  is  used  to  avoided  the  paradox  of  type  :  type. 
Higher-dimensional  type  theories  have  an  additional  axis  of  dimensionality.  These  are  mostly 
orthogonal  ideas:  there  can  be  small  types  of  high  dimension,  and  large  types  of  low  dimension. 
However,  there  are  some  relationships;  for  example,  the  collection  of  all  ('/-dimensional  types  of 
size  l  naturally  forms  an-f  1 -dimensional  type  of  size  l  +  1.  For  example,  the  collection  of  all 
sets  naturally  forms  a  large  category.  Exploring  this  matrix  is  an  important  piece  of  future  work, 
generalizing  2DTTto  ccDTT.  Here,  we  take  the  first  step  of  situating  our  present  approach  in  the 
hierarchy.  For  simplicity,  we  discuss  these  issues  in  the  symmetric  setting. 

Current  proof  assistants  such  as  Agda  and  NuPRL  commit  to  the  fact  that  all  types  are  sets, 
in  the  above  sense  of  being  of  dimension  one.  However,  intensional  type  theories,  like  Agda, 
and  extensional  type  theories,  like  NuPRL,  differ  in  how  they  expose  this  set-hood  to  the  user.  In 
intensional  type  theories  like  Agda,  it  is  through  propositional  uniqueness  of  identity  proofs.  This 
can  be  expressed  in  many  equivalent  ways  (see  Hofmann  and  Streicher  (|1998 )),  one  of  which  is 
that  all  proofs  of  propositional  equality  are  themselves  propositionally  equal:  for  all  A,  there  is  a 
term  of  type  UIPA,  where 

UIP  A  =  {x  y  :  A}  {p  q  :  Id  A  x  y}  ->  Id  (Id  A  x  y)  p  q 

On  the  other  hand,  in  extensional  type  theories,  set-hood  is  expressed  in  two  ways:  (1)  propo¬ 
sitional  equalities  induce  definitional  equalities  and  (2)  all  proofs  of  propositional  equality  are 
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definitionally  equal: 


P:\dAM  N 
M  =  N  :  A 


reflect 


P:\dAM  N 
P  =  refl  M  ■  Id  a  M  N 


uip-def 


Note  that  the  first  rule  is  necessary  for  type-checking  the  second. 

This  raises  the  question  of  how  these  notions  of  intensional  and  extensional  set-hood  gen¬ 
eralize  to  higher-dimensional  type  theories.  Here,  we  argue  that  they  arise  from  two  different 
interpretations  of  the  definition  of  an  n-groupoid.  Consider  a  general  cu-groupoid  interpreta¬ 
tion  of  type  theory  (Garner,  [2009 [  Lumsdaine]  |2009|).  Semantically,  a  closed  type  A  denotes  an 
cu-groupoid.  By  definition  an  ut-groupoid  is  an  n-groupoid  if,  for  j  >  n,  every  two  parallel  j- 
morphisms  are  equivalent.  This  expresses  a  cut-off  condition  which  says  that  the  structure  above 
dimension  n  is  trivial. 

Intensional  n-groupoids  arise  from  transcribing  this  cut-off  condition  directly  into  the  type 
theory,  using  propositional  equality  for  equivalence: 

Definition  8.2.1:  Intensional  n-GROUPoros. 


1.  Intensional  Propositions:  A  is  an  intensional  —  1-groupoid  if  A  is  an  intensional  0-groupoid 
and  there  is  a  term  of  type 

(x  y  :  A)  ->  Id  A  x  y 

2.  Intensional  Sets:  A  is  an  intensional  0-groupoid  if  A  is  an  intensional  1-groupoid  and  there 
is  a  term  of  type 

(x  y  :  A)  (p  q  :  Id  A  x  y)  ->  Id  (Id  A  x  y)  p  q 

3.  Intensional  Groupoids:  A  is  an  intensional  1-groupoid  if  A  is  an  intensional  2-groupoid 
and  there  is  a  term  of  type 

(x  y  :  A)  (p  q  :  Id  A  x  y)  (r  s  :  Id  (Id  A  x  y)  p  q)  ->  Id  r  s 

4.  ... 

5.  A  is  an  intensional  cu-groupoid 

These  definitions  say  that,  up  to  propositional  equality ,  a  proposition  has  only  one  inhabitant, 
a  set  is  discrete,  the  2-cells  of  a  groupoid  are  discrete,  etc. 

On  the  other  hand,  we  can  ask  for  the  stronger  condition  that  this  cut-off  condition  holds  up 
to  equality,  not  just  equivalence:  A  is  strictly  an  n-catcgory[]if  for  all  j  >  n,  every  j -morphism 
is  the  identity. 

Rendering  this  condition  type-theoretically  gives  the  rules  of  extensional  type  theory: 
Definition  8.2.2:  Extensional  n-GROUPoms. 


1.  Extensional  Propositions:  A  is  an  extensional  —1-groupoid  if  A  is  a  0-groupoid  and  for  all 
M,  N  :  A,  M  =  N  (the  set  of  O-morphisms  from  M  to  N  is  defined  to  be  the  one-element 


set).  I.e. 


M  =  N:A 


reflect 


3Note  that  "strictly”  has  nothing  to  do  with  whether  the  n-category  is  strict  or  weak — whether  the  identity  and 
composition  laws  hold  on  the  nose  at  each  level,  or  up  to  higher-dimensional  structure — but  with  whether  the  cut-off 
condition  is  phrased  in  terms  of  equality  or  equivalence. 
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2.  Extensional  Sets:  A  is  an  extensional  0-groupoid  if  A  is  a  1-groupoid  and  for  all  M,  N  :  A 
if  P  :  ld  ^  M  N  then  M  =  N  and  P  =  refl m- 


P:\dA  M  N 
M  =  N  :  A 


reflect 


P:\dA  M  N 


P  =  reflM  :\dAM  N 


uip-def 


3.  Extensional  Groupoids:  A  is  an  extensional  2-groupoid  if  A  is  a  2-groupoid  and 


R :  Id 


IcU  M  N 


P  Q 


P  =  Q  :  Id  4  M  N 


reflect 


R  :  Id 


IcU  M  N 


P  Q 


R  =  refl  P 


uip-def 


5.  A  is  an  extensional  cu-groupoid 

Note  that  this  definition  uses  definitional  equality — i.e.  equality  on  objects — and  is  hence 
“evil”  (not  stable  under  equivalence).  In  the  limit,  the  intensional  and  extensional  cu-groupoids 
are  the  same — because  there  is  no  cutoff-condition. 

The  usual  trade-offs  between  intensional  and  extensional  type  theory  apply  in  the  higher¬ 
dimensional  case:  Extensional  groupoids  make  type  checking  a  term  undecidable,  because  reflect 
throws  away  the  equality  proof.  Additionally,  in  extensional  type  theory  it  is  not  possible  to 
implement  equality  on  open-terms  by  untyped  reduction,  as  in  the  presence  of  contradictory 
assumptions,  all  terms  are  equal,  and  hence  terms  that  would  ordinarily  be  ill-typed  are  well- 
typed  (e.g.  int  =  int  x  int,  so  fst  6  is  well-typed).  This  problem  can  be  solved  by  defining 


reduction  on  ill-typed  terms,  as  in  NuPRL’s  direct  computation  (Constable  et  al.  1986).  On  the 


other  hand,  the  extensional  theory  is  more  general,  because  it  can  describe  both  extensional  and 
intensional  groupoids.  Intensional  type  theory  restores  decidability  by  forcing  one  to  always 
work  up  to  equivalence,  never  equality.  For  example,  if  nat  is  defined  as  an  intensional  set  by 
the  usual  inductive  definition,  then  any  type  family  x  :  nat  h  C  type  has  an  action  mapc  (P  : 
ldnat  M  N)  :  C[M ]  =  C[N],  In  fact,  this  isomorphism  is  the  identity,  but  intensional  type 
theory  assumes  the  worst — that  it  is  an  arbitrary  isomorphism — and  forces  the  programmer  to 
push  it  around  a  term  explicitly — e.g.,  canceling  inverses,  or  substituting  P  with  another  proof 
Q.  Thus,  extensional  type  theory  can  be  more  convenient  to  use,  because  coercions  by  equalities 
(as  opposed  to  more  general  equivalences)  are  tacit,  and  thus  there  is  never  a  need  to  reason  about 
them. 


OTT  (Altenkirch  et  al.  2007)  combines  intensional  type  theory  (no  equality  reflection  rule) 


with  extensional  concepts  such  as  proof-irrelevance  and  functional  extensionality,  all  without 
introducing  stuck  closed  terms  (a  problem  simple  axiomatic  treatments  of  functional  extension¬ 
ality  suffer  from).  It  does  this  by  distinguishing  a  universe  of  proof-irrelevant  propositions  prop 
from  arbitrary  sets.  Under  the  present  analysis,  we  see  that  an  OTT  proposition  is  an  exten¬ 
sional  proposition-,  all  proofs  of  it  are  definitionally  equal.  On  the  other  hand,  an  OTT  set  is  an 
intensional  set  (intensional  0-groupoid):  while  all  proofs  of  propositional  equality  are  proposi- 
tionally  equal  (uip-def),  propositional  equality  does  not  induce  a  definitional  equality  (reflect). 
That  said,  on  OTT  set  is  trivially  an  extensional  1-groupoid,  because  all  proofs  of  higher  dimen¬ 
sional  identities  are  definitionally  equal.  This  corresponds  to  the  original  semantic  motivation 
for  OTT  (Altenkirch],  1999),  as  an  intensional  set  that  is  also  an  extensional  groupoid  is  exactly 
a  setoid. 
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Adapting  this  terminology  to  the  directed  case,  we  say  that  2DTT  has  a  universe  of  exten- 
sional  1-categories  (T  b  A  type),  and  a  universe  of  extensional  0-categories  (T  b  S' :  set),  and 
nothing  else.  The  higher-dimensional  and  intensional  variants  are  an  interesting  subject  for  future 
work. 


8.3  Related  Work 


The  functorial/monadic  approach  to  abstract  syntax  was  developed  by  Altenkirch  and  Reus 
(|1999|);  |Fiore  et  aI7|  (|1999|);  |Hofmann|  (|1999|).  2DTT  allows  this  theory  to  easily  be  put  into 
practice,  by  providing  a  language  in  which  it  is  easy  to  describe  categorical  constructions.  Addi¬ 
tionally,  the  signatures  available  in  2DTT  are  more  general,  in  that  they  allow  mixing  of  admis¬ 
sibility  and  derivability — existing  functorial  accounts  of  syntax  concentrate  only  on  derivability. 


Fiore’s  later  work  (Fiore,  2008)  gives  a  semantics  for  second-order  and  dependently  typed  ab¬ 


stract  syntax,  though  not  both  at  once.  To  our  knowledge,  the  analysis  of  the  structural  properties 
of  the  generic  judgement  in  terms  of  the  Grothendieck  construction  is  novel,  or  at  least  has  not 


been  used  in  type  theory.  2DTT  will  enable  us  to  go  beyond  LF-based  systems  (Altenkirch  and 
Reus,  1999;  Pfenning  and  Schurmann[  1999} |Plentka,  2008;  Poswolsky  and  Schurmann}  2008) 
by  supporting  both  admissibility  and  derivability. 

Pouillard  and  Pottier  (2010)  describe  an  interface  to  dependent  de  Bruijn  indices  that  en¬ 
sures  that  any  function  I  [  -0:ctx.  A  commutes  with  bijections  on  variables.  2DTT  improves  on 
this  in  several  ways:  First,  we  generalize  this  result  to  other  notions  of  transformation,  including 
directed  ones:  ctx  can  be  chosen  to  force  such  a  function  to  respect  only  equality,  bijections,  re¬ 
namings,  or  general  substitutions.  Second,  Pouillard  and  Pottier  (2010j)’s  representation  is  some¬ 
what  non-standard:  contexts  are  treated  as  abstract  type,  and  de  Bruijn  indices  are  represented 
relationally,  by  defining  a  relation  that  means  i  is  the  successor  of  j.  This  allows  naturality  at 
ctx  to  be  encoded  using  the  naturality  of  abstract  types.  In  2DTT,  we  do  not  need  this  encoding. 


Third,  in  Pouillard  and  Pottier  (2010),  these  naturality  properties  are  not  available  for  reasoning 
inside  of  of  the  type  theory,  only  in  an  external  relational  interpretation.  In  contrast,  2DTT  treats 
them  as  rules  of  the  type  theory. 


Chapter  9 
Conclusion 


Any  stamp  collector  will  recognize  the  Inverted  Jenny,  a  1918  24-cent  misprint  featuring  an 
upside-down  Curtiss  JN-4  airplane.  In  a  sense,  the  work  described  in  this  dissertation  is  also 
upside-down,  compared  to  the  textbook  dissertation:  we  begin  in  Part  [I]  with  the  most  practical 
work,  and  get  progressively  more  theoretical  in  Parts  [TT]  and  III  In  Part  [I]  we  argued  that  it  is 
possible  to  define,  study,  automate,  and  use  domain- specific  logics  within  a  dependently  typed 
programming  language,  by  showing  how  to  construct  a  security-typed  language  and  a  semantic 
type  system  for  differential  privacy.  These  examples  make  essential  use  of  both  derivability  and 
admissibility,  and  the  remainder  of  the  thesis  describes  progress  towards  putting  these  two  no¬ 
tions  of  consequence  on  equal  footing,  rather  than  privileging  one  over  the  other  (derivability  in 
LF,  admissibility  in  MLTT).  In  Part|n[  we  described  a  logical  framework  that  allows  derivabil¬ 
ity  and  admissibility  hypothetical  judgements  to  be  mixed  in  novel  and  interesting  ways.  The 
fact  that  admissibilities  can  invalidate  the  structural  properties  of  derivability  was  handled  by 
a  collection  of  ad-hoc  tactics  that  implement  the  structural  properties  in  many  useful  cases.  In 
Part[nT|  we  analyzed  these  tactics  as  functoriality,  and  showed  that  a  directed  type  theory,  inspired 
by  higher  category  theory,  accounts  for  the  structural  properties  of  the  generic  judgement.  Our 
investigation  into  programming  with  logics  prompted  two  independently  interesting  technical 
contributions,  spanning  all  three  points  of  the  Curry-Howard  correspondence.  The  first,  higher- 
order  focusing  for  intuitionistic  logic,  is  a  logical  formalism  that  handles  inductive  types  well, 
using  an  infinitary  proof  theory.  The  second,  directed  type  theory,  is  an  exciting  and  fundamental 
generalization  of  dependent  type  theory  that  accounts  for  asymmetric  concepts. 

Thus,  the  real  test  of  this  work  will  be  whether  we  can,  in  the  next  several  years,  bring  it 
back  down  to  Earth.  What  is  the  road  map  to  doing  so?  The  first  step  is  the  theoretical  work  on 
directed  type  theory  outlined  above: 

1.  It  is  paramount  to  adapt  familiar  type  constructors,  such  as  an  inductive  datatype  mecha¬ 
nism,  to  the  directed  case.  Inductive  types  may  be  handled  by  giving  a  directed  analogue 
of  IF-types  (Nordstrom  et  al.[  1990)  or  indexed  containers  (Altenkirch  and  Morris] [2009). 

2.  The  analog  of  symmetric  type  theory’s  quotient  types  is  the  notion  of  an  internal  category 
in  directed  type  theory,  which  will  allow  programmers  to  define  their  own  directed  types 
by  giving  a  collection  of  elements  and  a  notion  of  transformation  between  them. 

3.  The  concept  of  the  opposite  of  a  category,  which  ordinarily  plays  a  central  role  in  account- 
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ing  for  variances,  is  much  more  subtle  in  the  dependent  case  than  in  the  non-dependent  case 
usually  considered.  A  full  accounting  of  variances  involves  a  modality  for  contravariance 
that  demands  further  investigation. 

4.  Semantically,  it  is  clear  that  one  should  be  able  to  internalize  the  judgement  a  :  M  ==>a  N 
by  a  directed-Hom-type  Horru(M,  N )  of  transformations  between  M,  N  :  A,  as  long  as 
M  is  treated  as  a  contravariant  position.  However,  the  introduction  and  elimination  rules 
for  this  type  require  further  study. 

5.  In  addition  to  the  admissibility  II,  which  is  contravariant  in  its  domain,  there  is  a  covariant 
II-type  corresponding  the  exponential  object  in  the  category  of  presheaves.  We  have  given 
operationally  plausible  rules  for  this  type,  but  have  left  the  restrictions  necessary  to  avoid 
impredicativity  to  future  work.  This  covariant  II  is  analogous  to  parametric  polymorphic 
quantification,  and  suggests  a  semantically  motivated  way  of  integrating  higher-order  ab¬ 
stract  syntax  into  our  approach. 

6.  Semantically,  all  of  symmetric  type  theory  sits  inside  of  directed  type  theory,  as  every 
groupoid  is  a  category.  By  exposing  this  structure  in  the  syntax,  we  can  ensure  that  directed 
type  theory  provides  strictly  greater  flexibility  than  traditional  type  theories. 

7.  Thus  far,  we  have  considered  only  the  two-dimensional  case  of  directed  type  theory; 
higher-dimensional  generalizations  would  admit  more  sophisticated  constructions,  which 
make  use  of  transformations  between  transformations. 

Once  these  issues  are  understood,  the  next  step  is  implementation.  Some  issues  are  familiar 
from  existing  proof  assistants.  For  example,  we  must  outfit  directed  type  theory  with  practical 
necessities  like  meta-variables  and  implicit  argument  reconstruction.  Other  issues  are  new:  For 
example,  in  the  current  presentation,  we  have  taken  many  equations  for  resp  and  map  to  hold 
definitionally.  These  include  both  the  equations  defining  these  constructs  for  each  type  and  term, 
as  well  as  associativity  and  unit  laws.  It  remains  to  be  seen  whether  this  theory  can  be  effectively 
implemented.  One  approach  would  be  to  isolate  a  decidable  notion  of  definitional  equality,  and 
switch  to  a  presentation  that  treats  equality  more  like  in  intensional  type  theory,  at  which  point  we 
could  prove  a  decidability  result.  Another  would  be  to  keep  the  theory  in  its  current  extensional 
form,  and  show  that  the  equational  theory,  though  undecidable  in  general,  can  be  automated 
enough  to  be  useful  in  practice. 

To  validate  this  work,  we  must  show  that  directed  type  theory  improves  upon  the  examples 
that  we  have  used  for  motivation  here:  For  example,  we  hope  to  show  that  we  can  write  down 
signatures  for  BL0  and  differential  privacy  and  automatically  derive  the  structural  properties  from 
them;  and  that  we  can  provide  a  concrete  syntax  for  derivability  that  is  as  convenient  as  Twelf. 
If  we  can  succeed  at  this  endeavor,  and  successfully  integrate  the  representational  power  of  LF 
with  the  computational  power  of  Martin-Lof  type  theory,  then  we  will  significantly  improve  on 
current  technology  for  programming  with  domain-specific  logics,  with  broad  applications  to  pro¬ 
gram  verification  and  mechanized  metatheory.  On  the  one  hand,  our  work  permits  computation 
to  be  used  in  the  specification  of  logical  systems,  allowing  more  object-language  concepts  to 
be  inherited  from  the  meta-language.  On  the  other,  our  work  makes  it  easier  to  program  with 
domain-specific  logics  and  type  systems,  transforming  more  of  programming  language  design 
into  ordinary  programming. 
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